Logo
AWS Certified Developer – Associate / Question #1060 of 557

Question #1060

A developer has an AWS Lambda function that needs to access an Amazon DynamoDB table named MonthlyReports. The Lambda function must be able to perform read operations on the table. The Lambda function must not be able to perform write operations on the table.

The developer needs to create an IAM policy to associate with the Lambda function's execution role.

Which IAM policy statement will meet these requirements?

A

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"dynamodb:BatchGetItem\",\n \"dynamodb:GetItem\",\n \"dynamodb:Query\",\n \"dynamodb:Scan\",\n \"dynamodb:DeleteItem\",\n \"dynamodb:PutItem\",\n \"dynamodb:UpdateItem\"\n ],\n \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MonthlyReports\"\n }\n ]\n}
B

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"dynamodb:GetItem\",\n \"dynamodb:PutItem\",\n \"dynamodb:Query\",\n \"dynamodb:BatchWriteItem\"\n ],\n \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MonthlyReports\"\n }\n ]\n}
C

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"dynamodb:Query\",\n \"dynamodb:Scan\",\n \"dynamodb:UpdateItem\",\n \"dynamodb:DeleteItem\"\n ],\n \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MonthlyReports\"\n }\n ]\n}
D

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"dynamodb:BatchGetItem\",\n \"dynamodb:GetItem\",\n \"dynamodb:Query\",\n \"dynamodb:Scan\"\n ],\n \"Resource\": \"arn:aws:dynamodb:us-west-2:123456789012:table/MonthlyReports\"\n }\n ]\n}

Explanation

The correct answer is D. The policy must allow read operations (GetItem, BatchGetItem, Query, Scan) and explicitly deny write operations. Option D includes only read actions:
- BatchGetItem: Retrieves multiple items in a batch.
- GetItem: Retrieves a single item.
- Query: Retrieves items based on partition key.
- Scan: Reads all items in the table.

Other options are incorrect because:
- A: Includes DeleteItem, PutItem, UpdateItem (write actions).
- B: Includes PutItem and BatchWriteItem (write actions).
- C: Includes UpdateItem and DeleteItem (write actions).

Key Point: Lambda execution roles follow the principle of least privilege. For read-only DynamoDB access, only read-specific API actions should be allowed.

Answer

The correct answer is: D