Securing EC2 Access to DynamoDB with VPC Gateway Endpoint | AWS Security Specialty Exam

Denying List and Describe Actions for DynamoDB Tables without VPC Gateway Endpoint

Prev Question Next Question

Question

You have an EC2 instance that needs to work with a DynamoDB table through a VPC Gateway endpoint for DynamoDB.

For the IAM role used by the EC2 instance, there is a requirement to deny the actions to List and Describe DynamoDB tables if the connection does not go through the VPC Gateway endpoint.

How would you achieve this requirement?

Answers

A. Create a DynamoDB resource policy as below: { "Statement": [ { "Sid": "ReadOnly", "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "vpce-11aa22bb" } ] }

B. Create a VPC endpoint policy as below: { "Statement": [ { "Sid": "ReadOnly", "Principal": "*", "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" } ] }

C. Create an IAM policy for your IAM entities to restrict the actions as below: { "Statement": [ { "Sid": "ReadOnly", "Principal": "*", "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Deny", "Resource": "arn:aws:dynamodb:region:account-id:table/*", "Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-11aa22bb" } } } ] }

D. Create a VPC endpoint policy as below: { "Statement": [ { "Sid": "ReadOnly", "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "vpce-11aa22bb" } ] }

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer : C.

Option A is incorrect because DynamoDB does not provide an option to create a resource policy.

Option B is incorrect because the restriction should be performed in the IAM role instead of the VPC endpoint policy.

Option C is CORRECT because it denies the DynamoDB actions (list & describe) if the VPC gateway endpoint is not used.

Option D is incorrect because the VPC endpoint policy is missing the resource and condition fields under the IAM policy.

And the restriction should be performed in the IAM role.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-ddb.html#vpc-endpoints-policies-ddb.

The correct answer is C.

Explanation:

The requirement is to deny the actions to List and Describe DynamoDB tables if the connection does not go through the VPC Gateway endpoint. This means that the IAM role used by the EC2 instance needs to have a policy that restricts the actions based on the source VPC endpoint.

Option A creates a DynamoDB resource policy that allows access to the vpce-11aa22bb endpoint for DescribeTable and ListTables. However, this policy doesn't restrict access from other sources, which is what the requirement is asking for.

Option B creates a VPC endpoint policy that allows access to all DynamoDB tables for DescribeTable and ListTables. This policy doesn't restrict access based on the source VPC endpoint, which is what the requirement is asking for.

Option D creates a VPC endpoint policy that allows access to the vpce-11aa22bb endpoint for DescribeTable and ListTables. This policy doesn't restrict access from other sources, which is what the requirement is asking for.

Option C creates an IAM policy that restricts access to DynamoDB tables based on the source VPC endpoint. It denies access to the actions for all tables unless the source VPC endpoint matches the vpce-11aa22bb endpoint. This policy fulfills the requirement of denying access to ListTables and DescribeTable actions from non-VPC Gateway endpoint connections.

Therefore, the correct answer is option C.

Prev Question Next Question