A database specialist wants to grant the read role to DocumentDB user “Bob” on DocumentDB database “production”
What action must the database specialist perform to accomplish this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Option A is incorrect because IAM Policies control access to DocumentDB API actions and DocumentDB clusters and instances, not databases.
The question specifically asks for granting access to a DocumentDB database.
Additionally, the question is asking for granting access to a DocumentDB user, not an IAM user.
Option B is incorrect because IAM Policies control access to DocumentDB API actions and DocumentDB clusters and instances, not databases.
The question specifically asks for granting access to a DocumentDB database.
Additionally, the question is asking for granting access to a DocumentDB user, not an IAM user.
Option C is incorrect because DocumentDB does not support resource-based policies.
Option D is CORRECT because db.grantRolesToUser command is used for assigning DocumentDB database roles to DocumentDB database users.
Reference:
https://docs.aws.amazon.com/documentdb/latest/developerguide/role_based_access_control.htmlThe correct answer is B. Create an IAM policy with “Allow” Effect on “read” Action for the “production” DocumentDB instance resource. Assign the IAM policy to IAM User “Bob”.
Explanation: To grant the read role to DocumentDB user “Bob” on DocumentDB database “production,” we need to follow these steps:
Option A - Assign AWS Managed Policy “AmazonDocDBReadOnlyAccess” to IAM User “Bob.” This option grants the AmazonDocDBReadOnlyAccess policy to IAM User “Bob,” which provides read-only access to all DocumentDB instances in the AWS account. This option does not meet the requirement of granting read access to the "production" DocumentDB instance only, so this option is not correct.
Option B - Create an IAM policy with “Allow” Effect on “read” Action for the “production” DocumentDB instance resource. Assign the IAM policy to IAM User “Bob.” This option creates an IAM policy that allows the "read" action for the "production" DocumentDB instance resource. This policy is assigned to IAM User “Bob,” granting the user read access to the "production" DocumentDB instance. This option meets the requirement, so this is the correct answer.
Option C - Create a Resource-Based Policy with “Allow” Effect on “read” Action for DocumentDB user “Bob.” Assign the policy to the DocumentDB instance. This option creates a resource-based policy that allows the "read" action for DocumentDB user “Bob.” The policy is then assigned to the DocumentDB instance. This option is incorrect because it assigns the policy to the DocumentDB instance, but it needs to be assigned to the user.
Option D - Run command db.grantRolesToUser("Bob", [{role: "read", db: "production"}]). This option is a MongoDB shell command, not an AWS command. It is not applicable to DocumentDB, which is a fully managed non-relational database service that is compatible with MongoDB workloads. This option is incorrect.