Q14 — AWS SAP-C02 Ch.3

Question 14 of 75 | ← Chapter 3

Q239. A company uses AWs Organizations for a multi-account setup in the AWS Cloud. The company's finance team has a data processing application that uses AWS Lambda and Amazon DynamoDB. The company's marketing team wants to access the data that is stored in the DynamoDB table. The DvnamoDB table contains confidential data. The marketing team can have access to only specific attributes of data in the DynamoDB table.The finance team and the marketina team have separate AWS accountsWhat should a solutions architect do to provide the marketing team with the appropriate access to the DynamoDB table?

Correct Answer: B. Create an IAM role in the finance team's account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team's account. In the marketing team's account, create an IAM role that has permissions to assume the IAM role in the finance team's account

Explanation

The correct answer is: B. Create an IAM role in the finance team's account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team's account. In the marketing team's account, create an IAM role that has permissions to assume the IAM role in the finance team's account. Option B provides a solution to provide the marketing team with the appropriate access to the DynamoDB table while ensuring the confidentiality of data and fine-grained access control. To achieve this, you can create an IAM role in the finance team's account with IAM policy conditions that allow access to specific DynamoDB attributes. This fine-grained access control ensures that the marketing team can only access the specified attributes in the DynamoDB table. Establish trust between the finance team's account and the marketing team's account to enable cross-account access. This allows the marketing team's account to assume the IAM role in the finance team's account. In the marketing team's account, create an IAM role that has permissions to assume the IAM role in the finance team's account. Grant this role the necessary permissions to access the DynamoDB table in the finance team's account. By following these steps, the marketing team will have appropriate access to the DynamoDB table, limited to specific attributes based on the IAM policy conditions. The finance team maintains control over the data, and the confidentiality of the data is preserved. This solution provides secure and controlled access to the DynamoDB table between different AWS accounts within the multi-account setup using fine-grained access control, IAM roles, and cross-account access.