An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a
separate DyanmoDB table. All the users are added to the same group and the organization wants to setup a
group level policy for this. How can the organization achieve this?
A.
Define the group policy and add a condition which allows the access based on the IAM name
B.
Create a DynamoDB table with the same name as the IAM user name and define the policy rule which
grants access based on the DynamoDB ARN using a variable
C.
Create a separate DynamoDB database for each user and configure a policy in the group based on the DB
variable
D.
It is not possible to have a group level policy which allows different IAM users to different DynamoDB
Tables
Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user
permissions for various AWS services. AWS DynamoDB has only tables and the organization cannot
makeseparate databases. The organization should create a table with the same name as the IAM user name
and use the ARN of DynamoDB as part of the group policy. The sample policy is shown below:
Correct Answer is B
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_specific-table.html
8
0
But this doesn’t specify how you allow access user based, but only table based.
0
0
B might actually be correct. Did more digging and found this:
Instead of attaching policies to individual users, you can use IAM policy variables to write a single policy and attach it to a group. You need to create a group and, for this example, add both users Alice and user Bob to the group. The following example grants permissions to perform all DynamoDB actions on the ${aws:username}_ProductCatalog table. The policy variable ${aws:username} is replaced by the requester’s user name when the policy is evaluated. For example, if Alice sends a request to add an item, the action is allowed only if Alice is adding items to the Alice_ProductCatalog table.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html
11
1
Its B
0
0