nerdexam
Amazon

DVA-C02 · Question #457

A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes: user_id, user_name, user_score, and user_rank. The users are allowed to update their names only. A

The correct answer is A. "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_id}" ], "dynamodb:Attributes": [ "user_name" ] } }. Option A is correct because it uses dynamodb:LeadingKeys matched to the authenticated user's user_id (via the web identity federation variable ${www.amazon.com:user_id}), ensuring users can only modify their own records. The dynamodb:Attributes condition restricts the writable at

Submitted by asante_acc· Mar 5, 2026Identity and Access Management / Security - Implementing fine-grained access control for AWS DynamoDB using IAM policy conditions with web identity federation

Question

A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes: user_id, user_name, user_score, and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation. Which set of conditions should be added in the policy attached to the role for the dynamodb:PutItem API call? A. B. C. D.

Exhibits

DVA-C02 question #457 exhibit 1
DVA-C02 question #457 exhibit 2
DVA-C02 question #457 exhibit 3
DVA-C02 question #457 exhibit 4
DVA-C02 question #457 exhibit 5
DVA-C02 question #457 exhibit 6
DVA-C02 question #457 exhibit 7
DVA-C02 question #457 exhibit 8

Options

  • A"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_id}" ], "dynamodb:Attributes": [ "user_name" ] } }
  • B"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_name}" ], "dynamodb:Attributes": [ "user_id" ] } }
  • C"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_id}" ], "dynamodb:Attributes": [ "user_name", "user_id" ] } }
  • D"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_name}" ], "dynamodb:Attributes": [ "user_name", "user_id" ] } }

How the community answered

(29 responses)
  • A
    55% (16)
  • B
    24% (7)
  • C
    7% (2)
  • D
    14% (4)

Explanation

Option A is correct because it uses dynamodb:LeadingKeys matched to the authenticated user's user_id (via the web identity federation variable ${www.amazon.com:user_id}), ensuring users can only modify their own records. The dynamodb:Attributes condition restricts the writable attribute to only user_name, which aligns with the requirement that users can update their names only. Together, these two conditions enforce both row-level and attribute-level security.

Topics

#DynamoDB Fine-Grained Access Control#IAM Policy Conditions#Web Identity Federation#Attribute-Level Security

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice