A serverless application uses Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The Lambda function needs permissions to read and write to the DynamoDB table. Which solution will give the Lambda function access to the DynamoDB table MOST securely?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an IAM role that includes Lambda as a trusted service. Attach a policy to the role that allows read and write access to the DynamoDB table. Update the configuration of the Lambda function to use the new role as the execution role..
Why this is the answer
The correct solution is to create an IAM role for the Lambda function. This role specifies Lambda as a trusted entity, meaning Lambda can assume this role. A policy attached to this role grants the necessary read and write permissions to the DynamoDB table. By assigning this role as the Lambda function's execution role, the function automatically assumes these permissions when invoked, without needing to manage credentials explicitly. This is the most secure and recommended approach for granting permissions to AWS services.
The incorrect options involve using IAM users or misconfiguring trusted services. Using an IAM user with programmatic access and storing credentials in environment variables or Parameter Store is less secure because it requires managing and rotating credentials, increasing the risk of exposure. An IAM role with DynamoDB as a trusted service is incorrect because Lambda, not DynamoDB, needs to assume the role to perform actions.