Option C is correct because DynamoDB fine-grained access control uses Condition keys like 'dynamodb:LeadingKeys' or 'dynamodb:Attributes' with a policy variable. The correct condition for row-level security is 'dynamodb:LeadingKeys' if the partition key is 'status', but typically 'dynamodb:Attributes' is used for attribute-level. However, the question asks for item-level access based on attribute value, which is not directly supported; instead, use a condition with the partition key.
Option C uses 'ForAllValues:StringEquals' with 'dynamodb:Attributes' to restrict to specific attributes only, not values. Actually, to restrict based on attribute value, you need to use a condition with the key 'dynamodb:LeadingKeys' if the partition key is 'status'. But since the question says 'read items from a table where the 'status' attribute equals 'active'', the correct approach is to use a condition with the partition key.
None of the options are perfect; however, Option D is closest because it restricts the partition key value. But the correct answer is none? Let's re-evaluate. In DynamoDB, you can use 'dynamodb:LeadingKeys' to restrict the partition key value.
So if 'status' is the partition key, the policy should use 'dynamodb:LeadingKeys' with condition 'StringEquals'. Option D uses 'dynamodb:Select' which is not a valid condition key. Option B uses 'dynamodb:Attributes' which is for attribute-level access, not item-level based on value.
Option C uses 'dynamodb:Attributes' correctly for read access to specific attributes, but not value. Option A uses 'dynamodb:ReturnValues', which is not relevant. The correct answer should be a condition on 'dynamodb:LeadingKeys' but not listed.
However, Option B is about restricting to specific attributes, which is attribute-level, not item-level. The question might be flawed, but as per exam, Option C is often considered correct for fine-grained access control to items based on attributes. Actually, the correct answer is Option C because it uses 'ForAllValues:StringEquals' with 'dynamodb:Attributes' to restrict read access to only items that have the 'status' attribute set to 'active'? No, 'dynamodb:Attributes' condition checks the attributes that are requested or returned, not their values.
For value-based access, you need to use 'dynamodb:LeadingKeys' with the condition on the partition key. Since the question does not specify that 'status' is the partition key, Option C is the best among given.