You have an EC2 instance that needs to work with a DynamoDB table through a VPC Gateway endpoint for DynamoDB. For the IAM role used by the EC2 instance, there is a requirement to deny the actions to List and Describe DynamoDB tables if the connection does not go through the VPC Gateway endpoint. How would you achieve this requirement?

Answer options:

A.Create a DynamoDB resource policy as below:
{
"Statement": [
{
"Sid": "ReadOnly",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "vpce-11aa22bb"
}
]
} 
B.Create a VPC endpoint policy as below:
{
"Statement": [
{
"Sid": "ReadOnly",
"Principal": "*",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}
]
} 
C.Create an IAM policy for your IAM entities to restrict the actions as below:
{
"Statement": [
{
"Sid": "ReadOnly",
"Principal": "*",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Deny",
"Resource": "arn:aws:dynamodb:region:account-id:table/*",
"Condition": { "StringNotEquals" : { "aws:sourceVpce": 
 "vpce-11aa22bb" } }
}
]
} 
D.Create a VPC endpoint policy as below:
{
"Statement": [
{
"Sid": "ReadOnly",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "vpce-11aa22bb"
}
]
} 

Answer : C
Option A is incorrect because DynamoDB does not provide an option to create a resource policy.
Option B is incorrect because the restriction should be performed in the IAM role instead of the VPC endpoint policy.
Option C is CORRECT because it denies the DynamoDB actions (list & describe) if the VPC gateway endpoint is not used.
Option D is incorrect because the VPC endpoint policy is missing the resource and condition fields under the IAM policy. And the restriction should be performed in the IAM role.
Reference: 
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-ddb.html#vpc-endpoints-policies-ddb.