An organization has created 10 IAM users. The organization wants each of the IAM users to have
access to a separate DyanmoDB table. All the users are added to the same group and the
organization wants to setup a group level policy for this. How can the organization achieve this?
A.
Define the group policy and add a condition which allows the access based on the IAM name
B.
Create a DynamoDB table with the same name as the IAM user name and define the policy
rule
which grants access based on the DynamoDB ARN using a variable
C.
Create a separate DynamoDB database for each user and configure a policy in the group
based on
the DB variable
D.
It is not possible to have a group level policy which allows different IAM users to different
DynamoDB
Tables
Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage
users and user permissions for various AWS services. AWS DynamoDB has only tables and the
organization cannot makeseparate databases. The organization should create a table with the
same name as the IAM user name and use the ARN of DynamoDB as part of the group policy.
The sample policy is shown below:
{
“Version”: “2012-10-17”,
“Statement”: [{“Effect”: “Allow”,
“Action”: [“dynamodb:*”],
“Resource”: “arn:aws:dynamodb:region:account-number-without-hyphens:table/${aws:username}”
}]}
B
B
Answer: D
Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. AWS DynamoDB has only tables and the organization cannot makeseparate databases. The organization should create a table with the same name as the IAM user name and use the ARN of DynamoDB as part of the group policy. The sample policy is shown below:
{
“Version”: “2012-10-17”,
“Statement”: [{
“Effect”: “Allow”,
“Action”: [“dynamodb:*”],
“Resource”: “arn:aws:dynamodb:region:account-number-without-hyphens:table/${aws:username}”
}
]
}