AWS Certified Solutions Architect – Associate (SAA-C02) — Question 581

A company's web application consists of an Amazon API Gateway API in front of an AWS Lambda function and an Amazon DynamoDB database. The Lambda function handles the business logic, and the DynamoDB table hosts the data. The application uses Amazon Cognito user pools to identify the individual users of the application. A solutions architect needs to update the application so that only users who have a subscription can access premium content.
Which solution will meet this requirement with the LEAST operational overhead?

Answer options

• A. Enable API caching and throttling on the API Gateway API.
• B. Set up AWS WAF on the API Gateway API. Create a rule to filter users who have a subscription.
• C. Apply fine-grained IAM permissions to the premium content in the DynamoDB table.
• D. Implement API usage plans and API keys to limit the access of users who do not have a subscription.

Correct answer: C

Explanation

Applying fine-grained IAM permissions in Amazon DynamoDB allows the application to control access to specific table items based on Amazon Cognito user attributes with minimal operational overhead. Options like API caching, throttling, and AWS WAF are designed for performance and network security rather than application-level user authorization. Using API keys and usage plans is intended for API client identification and rate limiting, not for managing user-specific subscription content access.