You are a developer at a company that has built a serverless application that allows users to make payments online.
The applications consist of several Lambda functions and a DynamoDB table.
This is implemented using a SAM template.
However, when users want to see their transactions and update their payment information, they cannot do so.
After debugging, you discover that the Lambda functions don't have permissions to access records from the DynamoDB table.
How will you resolve this issue using more tighter and secure AWS Managed Policy?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Option A is incorrect as providing full access to DynamoDB defeats AWS best practice of least privilege.
There is no need to give access to all DynamoDB table APIs across all regions.
The requirement is to read and update a table.
Further setting up an IAM role will require a special acknowledgment to deploy the application which is not very efficient for maintainability of the application.
Option B is incorrect as providing full access to DynamoDB defeats AWS best practice of least privilege.
There is no need to give access to all DynamoDB table APIs across all regions.
The requirement is to read and update a table.
Option C is CORRECT as DynamoDBCrudPolicy will give, create, read, update and delete permissions to a DynamoDB table which is tighter and more secure inline with the best practice of least privilege.
It is also managed by AWS which would make it AWS's responsibility to maintain the policy.
Option D is incorrect as providing read-only access to DynamoDB doesn't meet the requirement is to read and update a table.
Further setting up an IAM role will require a special acknowledgment to deploy the application which is not very efficient for maintainability of the application.
Reference:
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.htmlIn this scenario, users of the serverless application are not able to see their transactions and update their payment information. This is because the Lambda functions don't have permissions to access the DynamoDB table that stores the payment information. To resolve this issue, we need to grant appropriate permissions to the Lambda functions so that they can access the DynamoDB table.
Option A suggests creating an IAM role with the AWS Managed Policy AmazonDynamoDBFullAccess and attaching it to the Lambda functions. This policy provides full access to DynamoDB, including read and write access to all tables and streams. While this would solve the problem, it is not the best solution from a security perspective. Giving full access to DynamoDB could result in unintended modifications or deletions of data, which could lead to data loss or security breaches.
Option B suggests using the AmazonDynamoDBFullAccess policy template in the SAM template. This would apply the same policy as option A, giving the Lambda functions full access to DynamoDB. Again, this is not the best solution from a security perspective.
Option C suggests using the DynamoDBCrudPolicy policy template in the SAM template. This policy grants access to perform Create, Read, Update, and Delete operations on a specific DynamoDB table. This is a more secure option compared to options A and B, as it limits the access to only the necessary operations and only on the specified table. However, it does not specify any further restrictions such as limiting access to specific attributes or conditions.
Option D suggests creating an IAM role with the AWS Managed Policy AmazonDynamoDBReadOnlyAccess and attaching it to the Lambda functions. This policy grants read-only access to all DynamoDB tables and streams. While this option would not allow the Lambda functions to update the payment information, it would provide read access to the users' transaction data. This could be a good option if the Lambda functions only need to read data from DynamoDB and not modify it. However, if the Lambda functions need to update data as well, then this option would not be sufficient.
In conclusion, option C (using the DynamoDBCrudPolicy policy template in the SAM template) is the best option to resolve the issue of Lambda functions not having permissions to access the DynamoDB table. This option provides the necessary permissions for the Lambda functions to perform Create, Read, Update, and Delete operations on the specific DynamoDB table, while also limiting the access to only the necessary operations and only on the specified table.