An application uses multiple AWS Lambda functions to retrieve sensitive data from a single Amazon S3 bucket. The company must ensure that only authorized Lambda functions can access the data, following the principle of least privilege. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an individual IAM role for each Lambda function, grant each role access to the S3 bucket, and assign the corresponding IAM role as the Lambda execution role..
Why this is the answer
Creating an individual IAM role for each Lambda function and granting only the necessary S3 access to that specific role is the correct solution. This directly implements the principle of least privilege, ensuring that if one Lambda function is compromised, others are not automatically granted the same access. Assigning this specific IAM role as the Lambda execution role ensures the function operates with only the permissions it needs. Granting full S3 access to all Lambda functions via a shared IAM role violates the principle of least privilege, as all functions would have excessive permissions. Configuring a bucket policy based on VPC endpoint IP addresses is complex and less secure than IAM roles for function-specific access, as IP addresses can change or be shared. Using function ARNs in a bucket policy is not directly supported for granting access to Lambda execution roles; IAM roles are the standard and most secure way to manage permissions for Lambda functions.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed