Best Practices for Safeguarding DynamoDB Tables

Answer: D.

Option A is incorrect because DynamoDB does not have the deletion protection feature.

Option B is incorrect because role-based access control is the best practice for controlling authorized actions and permissions.

Option C is incorrect because role-based access control is the best practice for controlling authorized actions and permissions.

Option D is CORRECT because using role-based access control with an explicit deny effect on the IAM policy attached to the DatabaseAdmin group is the optimal solution to the requirement.

Reference:

The best way to prevent accidental deletion of a DynamoDB table when using an IAM group DatabaseAdmin is to create an IAM policy with an explicit deny on the dynamodb:DeleteTable action and attach it to the DatabaseAdmin group.

Option A, enabling deletion protection on the DynamoDB table, is a useful feature to protect against accidental deletions, but it does not address the issue of intentional deletions by authorized users.

Option B, creating a resource-based inline policy with explicit deny on the dynamodb:DeleteTable action and attaching it to the DynamoDB table, would prevent all users from deleting the table, including those who have legitimate reasons to do so. It is important to note that resource-based policies apply to all users who interact with the resource, regardless of their group membership.

Option C, creating an inline policy with explicit deny on the dynamodb:DeleteTable action and attaching it to the users of the DatabaseAdmin group, would prevent individual users from deleting the table, but it would not prevent the entire group from doing so.

Therefore, option D, creating an IAM policy with explicit deny on the dynamodb:DeleteTable action and attaching it to the DatabaseAdmin group, is the best solution. This policy explicitly denies the DatabaseAdmin group the ability to delete the DynamoDB table, while still allowing them to perform other administrative tasks on the table.