This DBS-C01 practice question tests your understanding of workload-specific database design. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: cognito Identity Pools. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Refer to the exhibit. An application uses Cognito identity pools to authenticate users and dynamodb:LeadingKeys condition to restrict access to items where the partition key matches the user's sub. Some users report that they can see items belonging to other users. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
The IAM policy does not include a condition for the table
Why wrong: Incorrect. The IAM policy does include a condition (LeadingKeys). The problem is not missing condition but likely the condition key value (sub) being wrong due to Cognito misconfiguration.
B
The Cognito identity pool is not configured correctly
Correct. Cognito identity pool misconfiguration can cause users to receive incorrect sub values, allowing them to access items keyed to other users.
C
The table ARN is incorrect
Why wrong: Incorrect. An incorrect table ARN would result in access denied errors, not seeing other users' items.
D
The ForAllValues:StringEquals should be ForAnyValue:StringEquals
Why wrong: Incorrect. ForAllValues:StringEquals is the AWS-recommended operator for LeadingKeys. Switching to ForAnyValue would not fix the issue and may introduce security gaps.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The Cognito identity pool is not configured correctly
Option B is correct because if the Cognito identity pool is not configured correctly, users may receive incorrect or shared identity IDs (sub claims). Since the access policy uses dynamodb:LeadingKeys with the sub, incorrect identity IDs lead to users accessing items that belong to other users. Options A and D are incorrect: A) The IAM policy includes the LeadingKeys condition, but the issue is the identity source, not the policy structure. D) Using ForAllValues:StringEquals is AWS best practice; switching to ForAnyValue would be less restrictive and not recommended. Option C is unlikely as an incorrect table ARN would cause access denial, not cross-user access.
Key principle: Cognito Identity Pools
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The IAM policy does not include a condition for the table
Why it's wrong here
Incorrect. The IAM policy does include a condition (LeadingKeys). The problem is not missing condition but likely the condition key value (sub) being wrong due to Cognito misconfiguration.
✓
The Cognito identity pool is not configured correctly
Why this is correct
Correct. Cognito identity pool misconfiguration can cause users to receive incorrect sub values, allowing them to access items keyed to other users.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Cognito Identity Pools
✗
The table ARN is incorrect
Why it's wrong here
Incorrect. An incorrect table ARN would result in access denied errors, not seeing other users' items.
✗
The ForAllValues:StringEquals should be ForAnyValue:StringEquals
Why it's wrong here
Incorrect. ForAllValues:StringEquals is the AWS-recommended operator for LeadingKeys. Switching to ForAnyValue would not fix the issue and may introduce security gaps.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Candidates may focus on the IAM policy syntax but overlook that the identity provider (Cognito) must correctly assign unique identifiers. Misconfiguration at the identity layer can break fine-grained access control even with correct policies.
Detailed technical explanation
How to think about this question
Under the hood, `ForAllValues:StringEquals` in an IAM policy evaluates to true if every key in the request matches a key in the policy's condition values, but crucially, if the request has no keys (e.g., a scan without a partition key), the condition is vacuously true, granting unintended access. In DynamoDB, `LeadingKeys` restricts operations to items with a specific partition key value; using `ForAllValues` can allow a user to query items with a different partition key if the policy's condition key list is not exhaustive or if the request omits the key entirely. A real-world scenario is a multi-tenant app where a user's `sub` claim is used as the partition key; using `ForAllValues` instead of `ForAnyValue` could let a user access another tenant's data by simply not including their own `sub` in the request.
KKey Concepts to Remember
Cognito Identity Pools
dynamodb:LeadingKeys
ForAllValues:StringEquals
Fine-Grained Access Control
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Cognito Identity Pools
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review cognito Identity Pools, then practise related DBS-C01 questions on the same topic to reinforce the concept.
The correct answer is: The Cognito identity pool is not configured correctly — Option B is correct because if the Cognito identity pool is not configured correctly, users may receive incorrect or shared identity IDs (sub claims). Since the access policy uses dynamodb:LeadingKeys with the sub, incorrect identity IDs lead to users accessing items that belong to other users. Options A and D are incorrect: A) The IAM policy includes the LeadingKeys condition, but the issue is the identity source, not the policy structure. D) Using ForAllValues:StringEquals is AWS best practice; switching to ForAnyValue would be less restrictive and not recommended. Option C is unlikely as an incorrect table ARN would cause access denial, not cross-user access.
What should I do if I get this DBS-C01 question wrong?
Review cognito Identity Pools, then practise related DBS-C01 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Cognito Identity Pools
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This DBS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DBS-C01 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.