nerdexam
Amazon

DVA-C02 · Question #517

A developer has an AWS Lambda function that needs to access an Amazon DynamoDB table named DailyOrders. The Lambda function must be able to perform read operations on the table. The Lambda function mu

The correct answer is D. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:eu-east-1:321456987012:table/DailyOrders" } ] }. Option D is correct because it grants only read-only DynamoDB actions - BatchGetItem, GetItem, Query, and Scan - scoped specifically to the DailyOrders table ARN, satisfying both the read requirement and the write restriction. This follows the principle of least privilege by expl

Submitted by haruto_sh· Mar 5, 2026Security, Identity, and Compliance - Implementing least-privilege IAM policies for AWS service access

Question

A developer has an AWS Lambda function that needs to access an Amazon DynamoDB table named DailyOrders. The Lambda function must be able to perform read operations on the table. The Lambda function must not be able to perform write operations on the table. The developer needs to create an IAM policy to associate with the Lambda function's execution role. Which IAM policy statement will meet these requirements? A. B. C. D.

Options

  • A{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Resource": "arn:aws:dynamodb:eu-east-1:321456987012:table/DailyOrders" } ] }
  • B{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:eu-east-1:321456987012:table/DailyOrders" } ] }
  • C{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Resource": "arn:aws:dynamodb:eu-east-1:321456987012:table/DailyOrders" } ] }
  • D{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:eu-east-1:321456987012:table/DailyOrders" } ] }

How the community answered

(31 responses)
  • B
    3% (1)
  • C
    3% (1)
  • D
    94% (29)

Explanation

Option D is correct because it grants only read-only DynamoDB actions - BatchGetItem, GetItem, Query, and Scan - scoped specifically to the DailyOrders table ARN, satisfying both the read requirement and the write restriction. This follows the principle of least privilege by explicitly allowing only what is necessary without granting any write permissions. The policy is also correctly structured with an 'Allow' effect and a precise resource ARN.

Topics

#IAM Policies#Least Privilege#Lambda Execution Role#DynamoDB Access Control

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice