A healthcare company is deploying a machine learning model on Amazon SageMaker to analyze patient records. The model requires access to a DynamoDB table containing patient data. Which combination of AWS services and features should the company use to restrict access to only the necessary resources?
Trap 1: Attach a DynamoDB resource-based policy to the table allowing…
DynamoDB resource-based policies are not supported; IAM roles are required.
Trap 2: Store AWS access keys in the notebook and use those credentials to…
Embedding long-term credentials is insecure and violates best practices.
Trap 3: Launch the SageMaker notebook in a VPC with a security group that…
VPC security groups control network traffic, not IAM permissions.
- A
Attach a DynamoDB resource-based policy to the table allowing access from the SageMaker notebook
Why wrong: DynamoDB resource-based policies are not supported; IAM roles are required.
- B
Create an IAM role with a policy granting read-only access to the specific DynamoDB table and attach it to the SageMaker notebook instance
This follows least-privilege principle and uses temporary credentials via IAM roles.
- C
Store AWS access keys in the notebook and use those credentials to access DynamoDB
Why wrong: Embedding long-term credentials is insecure and violates best practices.
- D
Launch the SageMaker notebook in a VPC with a security group that allows access to DynamoDB
Why wrong: VPC security groups control network traffic, not IAM permissions.