Challenge - 5 Problems

🎖️

IAM Data Protector

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

2:00remaining

How IAM policies control access to DynamoDB data

Which statement best explains how IAM policies protect data in DynamoDB?

AIAM policies back up DynamoDB data regularly to protect against data loss.

BIAM policies automatically encrypt all data stored in DynamoDB tables without user configuration.

CIAM policies define who can access DynamoDB tables and what actions they can perform, preventing unauthorized data access.

DIAM policies monitor network traffic to detect unauthorized access attempts to DynamoDB.

Attempts:

2 left

❓ query_result

intermediate

2:00remaining

Effect of missing IAM permission on DynamoDB query

Given a user without the dynamodb:Query permission on a table, what will happen when they try to run a query?

DynamoDB

aws dynamodb query --table-name Customers --key-condition-expression "CustomerId = :id" --expression-attribute-values '{":id":{"S":"123"}}'

AThe query fails with an AccessDeniedException error.

BThe query runs successfully and returns matching items.

CThe query returns an empty result set without error.

DThe query runs but only returns partial data.

Attempts:

2 left

📝 Syntax

advanced

2:30remaining

Identify the correct IAM policy statement to allow reading from a DynamoDB table

Which IAM policy statement correctly allows a user to read items from the DynamoDB table named Orders?

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "dynamodb:GetItem",
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
    }
  ]
}

{
  "Effect": "Deny",
  "Action": "dynamodb:GetItem",
  "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
}

{
  "Effect": "Allow",
  "Action": "dynamodb:PutItem",
  "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
}

{
  "Effect": "Allow",
  "Action": "dynamodb:DeleteItem",
  "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
}

{
  "Effect": "Allow",
  "Action": "dynamodb:GetItem",
  "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
}

Attempts:

2 left

❓ optimization

advanced

2:30remaining

Optimizing IAM policies for least privilege on DynamoDB

You want to grant a user permission to only update the Status attribute of items in the Shipments table. Which IAM policy approach best follows the principle of least privilege?

AAllow <code>dynamodb:UpdateItem</code> on the <code>Shipments</code> table with a condition restricting updates to the <code>Status</code> attribute only.

BAllow all DynamoDB actions on the <code>Shipments</code> table.

CAllow <code>dynamodb:PutItem</code> on the <code>Shipments</code> table.

DAllow <code>dynamodb:UpdateItem</code> on the entire <code>Shipments</code> table without conditions.

Attempts:

2 left

🔧 Debug

expert

3:00remaining

Diagnose why an IAM policy does not allow reading from DynamoDB

A user has this IAM policy but cannot read items from the Inventory table. What is the most likely reason?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:Scan"],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Inventory"
    }
  ]
}

AThe Resource ARN is incorrect and does not match the Inventory table.

BThe policy only allows Scan, but the user is trying to use GetItem or Query which are not allowed.

CThe Effect should be Deny instead of Allow to permit access.

DThe policy is missing the version date, so it is invalid.

Attempts:

2 left