In order to enforce compliance and auditing requirements, the TTL feature is enabled on a DynamoDB table.
What approach can be used to ensure unauthorized updates to the TTL attribute are prevented?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because role-based IAM policies can be used to deny specific update actions to DynamoDB tables.
Allowing Dynamodb:UpdateTimeToLive is required to grant modification of TTL on a DynamoDB table.
A role policy allowing this action should be assigned to authorized users.
Option B is incorrect because you can't specify authorized users when configuring TTL.
IAM policies must be used.
Option C is incorrect because AWS does provide actions that can be allowed to update and alter TTL configuration.
Option D is incorrect because resource-based policies are used to allow AWS resources access to other services.Also, dynamodb:ConfigureTimeToLive is not the correct action.
Reference:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/time-to-live-ttl-before-you-start.htmlThe TTL (Time to Live) feature in DynamoDB allows for the automatic deletion of expired items from a table. This feature can be used to enforce compliance and auditing requirements by ensuring that data is automatically deleted after a certain period of time. However, to prevent unauthorized updates to the TTL attribute, it is necessary to implement additional controls.
Option A is the correct answer. This approach involves using IAM policies to deny update actions to the TTL attribute or feature configuration. Specifically, an IAM role policy is created that allows dynamodb:UpdateTimeToLive, which is then assigned to authorized users. This policy ensures that only authorized users are able to update the TTL attribute or feature configuration.
Option B is incorrect. There is no way to specify authorized users ARNs when configuring DynamoDB table TTL.
Option C is incorrect. While it is true that TTL is a DynamoDB compliance and audit feature, it can be altered once enabled.
Option D is also incorrect. Creating an inline resource-based policy that allows dynamodb:ConfigureTimeToLive and denies other update actions may prevent unauthorized updates to the TTL attribute, but it also prevents authorized users from updating other attributes of the table. This approach is too restrictive and not recommended.
In summary, the recommended approach to prevent unauthorized updates to the TTL attribute in a DynamoDB table is to use IAM policies to deny update actions to the TTL attribute or feature configuration, and create an IAM role policy that allows dynamodb:UpdateTimeToLive and assign the role policy to authorized users.