Challenge - 5 Problems

🎖️

DynamoDB IAM Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ service_behavior

intermediate

2:00remaining

Which IAM policy allows full access to a specific DynamoDB table?

Given the following IAM policy, what is the effect on the DynamoDB table named OrdersTable?

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "dynamodb:*",
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/OrdersTable"
    }
  ]
}

AAllows read-only actions on all DynamoDB tables in the account.

BAllows all DynamoDB actions on all tables in the us-east-1 region.

CDenies all actions on the OrdersTable.

DAllows all DynamoDB actions on the OrdersTable only.

Attempts:

2 left

❓ security

intermediate

2:00remaining

Which IAM policy snippet restricts DynamoDB write actions but allows read actions on all tables?

Select the policy snippet that correctly restricts write actions (PutItem, UpdateItem, DeleteItem) but allows read actions (GetItem, Query, Scan) on all DynamoDB tables.

{
  "Effect": "Allow",
  "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"],
  "Resource": "arn:aws:dynamodb:*:*:table/*"
}

{
  "Effect": "Deny",
  "Action": ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem"],
  "Resource": "arn:aws:dynamodb:*:*:table/*"
}

{
  "Effect": "Allow",
  "Action": "dynamodb:*",
  "Resource": "arn:aws:dynamodb:*:*:table/*"
}

{
  "Effect": "Allow",
  "Action": ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem"],
  "Resource": "arn:aws:dynamodb:*:*:table/*"
}

Attempts:

2 left

❓ Architecture

advanced

2:00remaining

What is the minimum IAM policy to allow a Lambda function to update items in a DynamoDB table named Users?

Choose the policy that grants only the necessary permissions for a Lambda function to update items in the DynamoDB table Users.

{
  "Effect": "Allow",
  "Action": "dynamodb:UpdateItem",
  "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Users"
}

{
  "Effect": "Allow",
  "Action": "dynamodb:*",
  "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Users"
}

{
  "Effect": "Allow",
  "Action": ["dynamodb:UpdateItem", "dynamodb:GetItem"],
  "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Users"
}

{
  "Effect": "Allow",
  "Action": "dynamodb:UpdateItem",
  "Resource": "*"
}

Attempts:

2 left

✅ Best Practice

advanced

2:00remaining

Which IAM policy practice improves security when granting DynamoDB access?

Select the best practice for writing IAM policies that grant access to DynamoDB tables.

AGrant full DynamoDB access (dynamodb:*) on all tables to reduce complexity.

BGrant access to DynamoDB tables using wildcard resource ARN like arn:aws:dynamodb:*:*:table/* for all users.

CUse resource-level permissions to restrict access to only required tables and actions.

DAvoid specifying resources and allow all actions globally for easier management.

Attempts:

2 left

🧠 Conceptual

expert

2:00remaining

What error occurs if an IAM policy denies all DynamoDB actions but a user has a separate policy allowing GetItem on a table?

If a user has two IAM policies: one explicitly denies all DynamoDB actions, and another allows only GetItem on a specific table, what is the effective permission when the user tries to perform GetItem?

AThe user can perform GetItem only if the deny policy is attached to a different user.

BThe GetItem action is denied because explicit deny overrides allow.

CThe user receives a syntax error due to conflicting policies.

DThe GetItem action is allowed because explicit allow overrides deny.

Attempts:

2 left