Question #1344
A company hosts a web application on Amazon S3, which uses Amazon Cognito for user authentication. Upon successful login, users receive a JSON Web Token (JWT) granting access to a protected DynamoDB table. However, users report errors when attempting to interact with the DynamoDB resources after deployment. A solutions architect must ensure proper permissions are configured to resolve the issue.
Which solution meets these requirements?
Modify the IAM role associated with the Amazon Cognito identity pool to include permissions for the DynamoDB table.
Update the DynamoDB resource policy to grant access directly to the Amazon Cognito user pool.
Redeploy the application to use AWS Lambda to handle DynamoDB access, bypassing IAM role permissions.
Configure the Cognito user pool with custom scopes to authorize access to the DynamoDB table.
Explanation
Answer A is correct because Amazon Cognito identity pools assign temporary AWS credentials to authenticated users via an IAM role. If the IAM role lacks DynamoDB permissions, users cannot interact with the table. Modifying the role to include DynamoDB access resolves the issue.
Why other options are incorrect:
- B: DynamoDB does not support resource-based policies, so this approach is invalid.
- C: Using Lambda would require additional permissions and architectural changes without addressing the root cause (missing IAM role permissions).
- D: Cognito user pool scopes control OAuth2 token claims, not IAM permissions. Authorization for DynamoDB is managed via the identity pool's IAM role.
Key Points:
1. Cognito identity pools map users to IAM roles for AWS resource access.
2. DynamoDB permissions are granted via IAM policies attached to the identity pool's role.
3. Resource policies are not applicable for DynamoDB authorization.
Answer
The correct answer is: A