Logo
AWS Certified Solutions Architect - Associate / Question #2001 of 1019

Question #2001

A company has an Amazon DynamoDB table that contains sensitive data. The company has an application that runs on virtual machines in an on-premises data center. The company currently uses AWS IAM Identity Center.

The application requires temporary access to the DynamoDB table. The company wants to grant the application secure access to the data in the DynamoDB table.

Which solution will meet these requirements?

A

Create a DynamoDB resource policy that permits access to the table from the public IP address range of the company\u2019s on-premises data center.
B

Use IAM Roles Anywhere to obtain security credentials in IAM Identity Center that grant access to the DynamoDB table. Configure the virtual machines to assume the role by using the AWS CLI.
C

Install the AWS CLI on the virtual machine. Configure the AWS CLI with access keys from an IAM user that has access to the DynamoDB table.
D

Create an IAM user and policy that grants access to the DynamoDB table. Store the access key and secret key for the IAM user in AWS Secrets Manager. Configure the application to retrieve the access key and secret key at startup.

Explanation

Answer B is correct because:
- IAM Roles Anywhere enables on-premises applications to assume IAM roles using temporary credentials, eliminating the need for long-term access keys.
- It integrates with IAM Identity Center (AWS SSO), allowing the application to securely authenticate and retrieve temporary credentials.
- Temporary credentials are more secure than static access keys (as in options C and D) and automatically expire, reducing the risk of compromise.

Why other options are incorrect:
- A: DynamoDB does not support IP-based resource policies for access control. Even if it did, IP-based rules are less secure and prone to network changes.
- C and D: Both involve long-term access keys, which pose security risks if exposed. The question specifies temporary access, making these options unsuitable.

Key Points:
- Use IAM Roles Anywhere for secure, temporary credentials in hybrid (on-premises/AWS) environments.
- Avoid long-term credentials (access keys) for sensitive data access.
- IAM Identity Center centralizes access management for AWS resources.

Answer

The correct answer is: B