In order to enforce compliance and auditing requirements, the TTL feature is enabled on a DynamoDB table. What approach can be used to ensure unauthorized updates to the TTL attribute are prevented?

Answer options:

A.Use IAM policies to deny update actions to the TTL attribute or feature configuration. Create an IAM role policy that allows dynamodb:UpdateTimeToLive.Assign the role policy to the authorized users.
B.When configuring DynamoDB table TTL, specify authorized users ARNs.
C.TTL is a DynamoDB compliance and audit feature and cannot be altered once enabled.
D.Create an inline resource-based policy that allows dynamodb:ConfigureTimeToLive and denies other update actions.Attach the policy to the DynamoDB table.

Answer: A
Option A is CORRECT because role-based IAM policies can be used to deny specific update actions to DynamoDB tables. Allowing Dynamodb:UpdateTimeToLive is required to grant modification of TTL on a DynamoDB table. A role policy allowing this action should be assigned to authorized users.
Option B is incorrect because you can’t specify authorized users when configuring TTL. IAM policies must be used.
Option C is incorrect because AWS does provide actions that can be allowed to update and alter TTL configuration.
Option D is incorrect because resource-based policies are used to allow AWS resources access to other services.Also, dynamodb:ConfigureTimeToLive is not the correct action.
Reference:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/time-to-live-ttl-before-you-start.html