AWS Certified Developer – Associate (DVA-C02) — Question 161

A developer has code that is stored in an Amazon S3 bucket. The code must be deployed as an AWS Lambda function across multiple accounts in the same AWS Region as the S3 bucket. An AWS CloudFormation template that runs for each account will deploy the Lambda function.

What is the MOST secure way to allow CloudFormation to access the Lambda code in the S3 bucket?

Answer options

• A. Grant the CloudFormation service role the S3 ListBucket and GetObject permissions. Add a bucket policy to Amazon S3 with the principal of “AWS”: [account numbers].
• B. Grant the CloudFormation service role the S3 GetObject permission. Add a bucket policy to Amazon S3 with the principal of “*”.
• C. Use a service-based link to grant the Lambda function the S3 ListBucket and GetObject permissions by explicitly adding the S3 bucket’s account number in the resource.
• D. Use a service-based link to grant the Lambda function the S3 GetObject permission. Add a resource of “*” to allow access to the S3 bucket.

Correct answer: A

Explanation

The correct answer is A, as it grants the necessary permissions while specifying the principal accounts, ensuring limited access to only authorized accounts. Option B is less secure because it uses a wildcard principal, allowing access to anyone. Options C and D incorrectly suggest granting permissions directly to the Lambda function instead of the CloudFormation service role, which does not address the specific requirements of the question.