Question #1000
A gaming application stores player data in an Amazon DynamoDB table with attributes: userid (partition key), username, useremail, and userstatus. Users can update their email and status. Authentication is via web identity federation.
Which set of conditions should be added in the policy attached to the role for the dynamodb:PutItem API call?
{\n \"Condition\": {\n \"ForAllValues:StringEquals\": {\n \"dynamodb:LeadingKeys\": [\n \"${www.amazon.com:userid}\"\n ],\n \"dynamodb:Attributes\": [\n \"useremail\"\n ]\n }\n }\n}
{\n \"Condition\": {\n \"ForAllValues:StringEquals\": {\n \"dynamodb:LeadingKeys\": [\n \"${www.amazon.com:useremail}\"\n ],\n \"dynamodb:Attributes\": [\n \"userid\"\n ]\n }\n }\n}
{\n \"Condition\": {\n \"ForAllValues:StringEquals\": {\n \"dynamodb:LeadingKeys\": [\n \"${www.amazon.com:userid}\"\n ],\n \"dynamodb:Attributes\": [\n \"useremail\",\"user_status\"\n ]\n }\n }\n}
{\n \"Condition\": {\n \"ForAllValues:StringEquals\": {\n \"dynamodb:LeadingKeys\": [\n \"${www.amazon.com:userstatus}\"\n ],\n \"dynamodb:Attributes\": [\n \"useremail\",\"user_id\"\n ]\n }\n }\n}
Explanation
Answer C is correct because:
1. LeadingKeys Condition: Uses ${www.amazon.com:user_id} to restrict access to the DynamoDB item where the partition key matches the authenticated user's ID. This ensures users can only modify their own data.
2. Attributes Condition: Lists user_email and user_status, allowing updates only to these fields as required.
Other options fail because:
- A: Omits user_status in allowed attributes.
- B: Incorrectly uses user_email for LeadingKeys (partition key is user_id).
- D: Uses user_status for LeadingKeys, which is not the partition key.
Key Points:
- Use dynamodb:LeadingKeys with the partition key variable to scope access to a user's own item.
- Use dynamodb:Attributes to restrict updatable fields.
- Web identity federation maps external identities to IAM roles, with user claims (e.g., user_id) available via ${provider:claim}.
Answer
The correct answer is: C