What should a solutions architect do to provide the marketing team with the appropriate access to the DynamoDB table?
Create an SCP to grant the marketing team’s AWS account access to the specific attributes of the DynamoDB table. Attach the SCP to the OU of the finance team.
Create an IAM role in the finance team’s account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team’s account. In the marketing team’s account, create an IAM role that has permissions to assume the IAM role in the finance team’s account.
Create a resource-based IAM policy that includes conditions for specific DynamoDB attributes (fine-grained access control). Attach the policy to the DynamoDB table. In the marketing team’s account, create an IAM role that has permissions to access the DynamoDB table in the finance team’s account.
Create an IAM role in the finance team’s account to access the DynamoDB table. Use an IAM permissions boundary to limit the access to the specific attributes. In the marketing team’s account, create an IAM role that has permissions to assume the IAM role in the finance team’s account.
Explanations:
Service Control Policies (SCPs) are used to manage permissions at the organizational level in AWS Organizations, but they cannot grant fine-grained access to specific DynamoDB attributes. SCPs only affect permissions at the account level and do not provide attribute-level access control.
Creating an IAM role in the finance team’s account with policy conditions allows for fine-grained access control to specific attributes of the DynamoDB table. By establishing trust between the roles in both accounts, the marketing team can assume the role and gain the necessary access to the specified attributes while maintaining security.
Resource-based IAM policies do not support fine-grained access control for specific DynamoDB attributes. While they can control access at the resource level, they do not allow for detailed attribute-level restrictions, making this option insufficient for the requirement.
IAM permissions boundaries do not provide fine-grained control over specific attributes in DynamoDB; they are used to set limits on what actions a role can perform. This option does not adequately meet the need for controlled access to specific attributes within the DynamoDB table.
I systematize that the answer is:
Create an IAM role in the finance team’s account by using IAM policy conditions for specific DynamoDB attributes (fine-grained access control). Establish trust with the marketing team’s account. In the marketing team’s account, create an IAM role that has permissions to assume the IAM role in the finance team’s account.