A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs permissions to perform the uploads. The developer already has an IAM user with valid IAM credentials for Amazon S3. What should a solutions architect do to grant the required permissions?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function..
Why this is the answer
Attaching an IAM execution role to the Lambda function is the correct and most secure approach. Lambda functions assume this role when they execute, granting them the necessary permissions to interact with other AWS services like S3. This follows the principle of least privilege, as the function only gets the permissions it needs. Adding permissions to the Lambda function's resource policy is incorrect because resource policies define who can invoke the function, not what the function itself can do. Creating a signed request using existing IAM credentials in the Lambda function is less secure and more complex to manage than using an execution role. Creating a new IAM user for the Lambda function is also less secure and goes against AWS best practices for granting permissions to services; roles are designed for this purpose.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed