Answer-first summary for fast verification
Answer: Develop an IAM role in the finance team's account with IAM policy conditions for fine-grained access control over specific DynamoDB attributes. Set up a trust relationship with the marketing team's account, and in that account, create an IAM role with permissions to assume the role in the finance team's account.
The correct answer is B. DynamoDB does not support resource-based policies, so option C is not viable. Instead, creating an IAM role in the finance team's account with fine-grained access control using IAM policy conditions for specific DynamoDB attributes and establishing trust with the marketing team's account is the appropriate approach. This allows the marketing team to assume the role and access only the specified attributes in the DynamoDB table. Option B ensures precise access control and adheres to the necessary permissions model in a multi-account AWS environment.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
In a multi-account setup using AWS Organizations, the finance team utilizes AWS Lambda and Amazon DynamoDB for a data processing application. The DynamoDB table contains sensitive data, and the marketing team, operating under a separate AWS account, requires access to specific attributes within this table. How should a solutions architect configure access to ensure the marketing team can only access the necessary attributes in the DynamoDB table?
A
Implement an SCP to grant the marketing team's AWS account access to the specified attributes of the DynamoDB table, attaching the SCP to the organizational unit of the finance team.
B
Develop an IAM role in the finance team's account with IAM policy conditions for fine-grained access control over specific DynamoDB attributes. Set up a trust relationship with the marketing team's account, and in that account, create an IAM role with permissions to assume the role in the finance team's account.
C
Craft a resource-based IAM policy with conditions for fine-grained access control over specific DynamoDB attributes, attaching this policy to the DynamoDB table. In the marketing team's account, establish an IAM role with permissions to access the DynamoDB table in the finance team's account.
D
Design an IAM role in the finance team's account for accessing the DynamoDB table, utilizing an IAM permissions boundary to restrict access to the specified attributes. In the marketing team's account, create an IAM role with permissions to assume the role in the finance team's account.
No comments yet.