AWS Certified SysOps Administrator – Associate (legacy) — Question 167

An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DynamoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?

Answer options

• A. Define the group policy and add a condition which allows the access based on the IAM name
• B. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
• C. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
• D. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables

Correct answer: B

Explanation

The correct answer is B because creating a DynamoDB table with the same name as the IAM user allows the use of a variable in the policy to grant access based on the ARN specific to each user. Option A is incorrect because conditions based on IAM names won't work for this scenario. Option C is not feasible as it suggests creating separate databases rather than separate tables, which complicates the architecture unnecessarily. Option D is also incorrect as it is indeed possible to set up such a policy effectively.