Amazon SAP-C02: Create IAM role using policy conditions for specific DynamoDB attributes.

Question

A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company’s finance team has a data processing application that uses AWS Lambda and Amazon DynamoDB. The company’s marketing team wants to access the data that is stored in the DynamoDB table.The DynamoDB table contains confidential data. The marketing team can have access to only specific attributes of data in the DynamoDB table. The finance team and the marketing team have separate AWS accounts. What should a solutions architect do to provide the marketing team with the appropriate access to the DynamoDB table?

A. Create an SCP to grant the marketing team’s AWS account access to the specific attributes of the DynamoDB table. Attach the SCP to the OU of the finance team.
B. Create an IAM role in the finance team’s account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team’s account. In the marketing team’s account, create an IAM role that has permissions to assume the IAM role in the finance team’s account.
C. Create a resource-based IAM policy that includes conditions for specific DynamoDB attributes (fine-grained access control). Attach the policy to the DynamoDB table. In the marketing team’s account, create an IAM role that has permissions to access the DynamoDB table in the finance team’s account.
D. Create an IAM role in the finance team’s account to access the DynamoDB table. Use an IAM permissions boundary to limit the access to the specific attributes. In the marketing team’s account, create an IAM role that has permissions to assume the IAM role in the finance team’s account.

Answer

B. Create an IAM role in the finance team’s account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team’s account. In the marketing team’s account, create an IAM role that has permissions to assume the IAM role in the finance team’s account.

Explanation

To answer your question, I think the best solution to provide the marketing team with the appropriate access to the DynamoDB table is:

B. Create an IAM role in the finance team’s account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team’s account. In the marketing team’s account, create an IAM role that has permissions to assume the IAM role in the finance team’s account.

Option B is a good choice because it allows the company to use IAM roles and policies to grant the marketing team access to only specific attributes of data in the DynamoDB table. IAM is a web service that helps you securely control access to AWS resources for your users. An IAM role is an entity that defines a set of permissions for making AWS service requests. An IAM policy is a document that defines one or more permissions. You can use IAM policy conditions to specify fine-grained access control for DynamoDB attributes, such as allowing or denying access based on attribute values or comparisons. You can create an IAM role in the finance team’s account that has a policy with conditions for specific DynamoDB attributes, and establish trust with the marketing team’s account by allowing it to assume the role. You can then create another IAM role in the marketing team’s account that has permissions to assume the IAM role in the finance team’s account. This way, the marketing team can access the DynamoDB table in the finance team’s account by assuming the role, but only see the attributes that are allowed by the policy.

The other options are not as good as option B for the following reasons:

• Option A is not a good choice because it does not provide fine-grained access control for DynamoDB attributes, but only for accounts. An SCP is a type of organization policy that you can use to manage permissions in your organization. An SCP offers central control over the maximum available permissions for all accounts in your organization, but it does not grant any permissions by itself. You can create an SCP to grant the marketing team’s account access to the DynamoDB table, but you cannot specify which attributes they can see or modify. Also, attaching the SCP to the OU of the finance team does not make sense, since it will affect all accounts in that OU, not just the marketing team’s account.
• Option C is not a good choice because it does not provide secure access control for cross-account scenarios, but only for resources within an account. A resource-based IAM policy is a document that you attach to an AWS resource (such as a DynamoDB table) to specify who can access that resource and under what conditions. You can create a resource-based IAM policy that includes conditions for specific DynamoDB attributes and attach it to the DynamoDB table, but you cannot specify which account can access that table. You can then create an IAM role in the marketing team’s account that has permissions to access the DynamoDB table in the finance team’s account, but this will expose the table to any other account that has similar permissions. This option also requires you to manage two policies (one resource-based and one identity-based) instead of one.
• Option D is not a good choice because it does not provide fine-grained access control for DynamoDB attributes, but only for actions. An IAM permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity (such as a user or role). You can create an IAM role in the finance team’s account to access the DynamoDB table and use a permissions boundary to limit the actions that can be performed on the table, such as GetItem or PutItem. However, you cannot use a permissions boundary to limit which attributes can be accessed or modified on the table. You can then create another IAM role in the marketing team’s account that has permissions to assume the IAM role in the finance team’s account, but this will still allow them to see all attributes on the table.

Reference

• What is AWS Organizations? – AWS Organizations (amazon.com)
• Cloud Administration – AWS Organizations – Amazon Web Services
• AWS Organizations Features – Amazon Web Services
• Serverless Computing – AWS Lambda – Amazon Web Services
• What is AWS Lambda? – AWS Lambda (amazon.com)
• AWS Lambda – Getting Started (amazon.com)
• What is Amazon DynamoDB? – Amazon DynamoDB
• Fast NoSQL Key-Value Database – Amazon DynamoDB – Amazon Web Services
• Amazon Web Services – DynamoDB | Tutorialspoint
• What is Amazon DynamoDB (w3schools.com)
• Amazon DynamoDB – Wikipedia
• Restrict an IAM user or role to specific attributes in a DynamoDB table | AWS re:Post (repost.aws)
• Amazon DynamoDB: Allows access to specific attributes – AWS Identity and Access Management
• Using IAM policy conditions for fine-grained access control – Amazon DynamoDB
• Using identity-based policies with Amazon DynamoDB – Amazon DynamoDB
• Permissions boundaries for IAM entities – AWS Identity and Access Management (amazon.com)
• When and where to use IAM permissions boundaries | AWS Security Blog (amazon.com)
• IAM permissions boundary – eksctl

Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.