Ace Your SCS-C01 AWS Certified Specialty Exam

An example of this is given intheIAM Documentatioi

Restricting Access to a Specific HTTP Referrer

Suppose you have a website with domain name or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the IAM account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the IAM:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the IAM:Referer condition key.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because giving public access is not a secure way to provide access Option C is invalid because IAM:sites is not a valid condition key Option D is invalid because IAM roles will not be assigned to web sites

For more information on example bucket policies please visit the below Link:

1

The correct answer is: Use the IAM:Referer key in the condition clause for the bucket policy Submit your Feedback/Queries to our Experts

The following diagram from the IAM Documentation shows how you can access the DynamoDB service from within a V without going to the Internet This can be done with the help of a VPC endpoint

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because this is used for connection between an on-premise solution and IAM

Option C is invalid because there is no such option

Option D is invalid because this is used to connect 2 VPCs

For more information on VPC endpointsfor DynamoDB, please visit the URL:

The correct answer is: Use a VPC endpoint to the DynamoDB table Submit your Feedback/Queries to our Experts

Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy

Option D is invalid because keys for IAM users cannot be assigned to services

This is mentioned in the IAM Documentation

The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular IAM services. (IAM managed CMKs in your account, such as IAM/s3, are always restricted to the IAM service that created them.)

For example, you can use kms:V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from IAM Lambda.

For more information on key policy's for KMS please visit the following URL:

The correct answer is: Use the kms:ViaServtce condition in the Key policy Submit your Feedback/Queries to our Experts

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options B,C and D are invalid because you need to ensure a trust policy is in place and not a grant, user or group policy or more information on the IAM role permissions please visit the below Link:

The correct answer is: Ensure that there is a trust policy in place for the IAM Config service within the role

Submit your Feedback/Queries to our Experts