Question 790 of 1,730
Workload-Specific Database DesignhardMultiple ChoiceObjective-mapped

DBS-C01 Cognito Identity Pools Practice Question

This DBS-C01 practice question tests your understanding of workload-specific database design. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: cognito Identity Pools. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders",
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": [
            "${cognito-identity.amazonaws.com:sub}"
          ]
        }
      }
    }
  ]
}
```

Refer to the exhibit. An application uses Cognito identity pools to authenticate users and dynamodb:LeadingKeys condition to restrict access to items where the partition key matches the user's sub. Some users report that they can see items belonging to other users. What is the most likely cause?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders",
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": [
            "${cognito-identity.amazonaws.com:sub}"
          ]
        }
      }
    }
  ]
}
```

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The Cognito identity pool is not configured correctly

Option B is correct because if the Cognito identity pool is not configured correctly, users may receive incorrect or shared identity IDs (sub claims). Since the access policy uses dynamodb:LeadingKeys with the sub, incorrect identity IDs lead to users accessing items that belong to other users. Options A and D are incorrect: A) The IAM policy includes the LeadingKeys condition, but the issue is the identity source, not the policy structure. D) Using ForAllValues:StringEquals is AWS best practice; switching to ForAnyValue would be less restrictive and not recommended. Option C is unlikely as an incorrect table ARN would cause access denial, not cross-user access.

Key principle: Cognito Identity Pools

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The IAM policy does not include a condition for the table

    Why it's wrong here

    Incorrect. The IAM policy does include a condition (LeadingKeys). The problem is not missing condition but likely the condition key value (sub) being wrong due to Cognito misconfiguration.

  • The Cognito identity pool is not configured correctly

    Why this is correct

    Correct. Cognito identity pool misconfiguration can cause users to receive incorrect sub values, allowing them to access items keyed to other users.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Cognito Identity Pools

  • The table ARN is incorrect

    Why it's wrong here

    Incorrect. An incorrect table ARN would result in access denied errors, not seeing other users' items.

  • The ForAllValues:StringEquals should be ForAnyValue:StringEquals

    Why it's wrong here

    Incorrect. ForAllValues:StringEquals is the AWS-recommended operator for LeadingKeys. Switching to ForAnyValue would not fix the issue and may introduce security gaps.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Candidates may focus on the IAM policy syntax but overlook that the identity provider (Cognito) must correctly assign unique identifiers. Misconfiguration at the identity layer can break fine-grained access control even with correct policies.

Detailed technical explanation

How to think about this question

Under the hood, `ForAllValues:StringEquals` in an IAM policy evaluates to true if every key in the request matches a key in the policy's condition values, but crucially, if the request has no keys (e.g., a scan without a partition key), the condition is vacuously true, granting unintended access. In DynamoDB, `LeadingKeys` restricts operations to items with a specific partition key value; using `ForAllValues` can allow a user to query items with a different partition key if the policy's condition key list is not exhaustive or if the request omits the key entirely. A real-world scenario is a multi-tenant app where a user's `sub` claim is used as the partition key; using `ForAllValues` instead of `ForAnyValue` could let a user access another tenant's data by simply not including their own `sub` in the request.

KKey Concepts to Remember

  • Cognito Identity Pools
  • dynamodb:LeadingKeys
  • ForAllValues:StringEquals
  • Fine-Grained Access Control

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Cognito Identity Pools

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Review cognito Identity Pools, then practise related DBS-C01 questions on the same topic to reinforce the concept.

Related practice questions

Related DBS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DBS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DBS-C01 question test?

Workload-Specific Database Design — This question tests Workload-Specific Database Design — Cognito Identity Pools.

What is the correct answer to this question?

The correct answer is: The Cognito identity pool is not configured correctly — Option B is correct because if the Cognito identity pool is not configured correctly, users may receive incorrect or shared identity IDs (sub claims). Since the access policy uses dynamodb:LeadingKeys with the sub, incorrect identity IDs lead to users accessing items that belong to other users. Options A and D are incorrect: A) The IAM policy includes the LeadingKeys condition, but the issue is the identity source, not the policy structure. D) Using ForAllValues:StringEquals is AWS best practice; switching to ForAnyValue would be less restrictive and not recommended. Option C is unlikely as an incorrect table ARN would cause access denial, not cross-user access.

What should I do if I get this DBS-C01 question wrong?

Review cognito Identity Pools, then practise related DBS-C01 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Cognito Identity Pools

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More DBS-C01 practice questions

Last reviewed: Jul 4, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DBS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DBS-C01 exam.