AWS Certified Developer – Associate (DVA-C02) — Question 162

An application that runs on AWS Lambda requires access to specific highly confidential objects in an Amazon S3 bucket. In accordance with the principle of least privilege, a company grants access to the S3 bucket by using only temporary credentials.

How can a developer configure access to the S3 bucket in the MOST secure way?

Answer options

• A. Hardcode the credentials that are required to access the S3 objects in the application code. Use the credentials to access the required S3 objects.
• B. Create a secret access key and access key ID with permission to access the S3 bucket. Store the key and key ID in AWS Secrets Manager. Configure the application to retrieve the Secrets Manager secret and use the credentials to access the S3 objects.
• C. Create a Lambda function execution role. Attach a policy to the role that grants access to specific objects in the S3 bucket.
• D. Create a secret access key and access key ID with permission to access the S3 bucket. Store the key and key ID as environment variables in Lambda. Use the environment variables to access the required S3 objects.

Correct answer: C

Explanation

The correct answer is C because creating a Lambda function execution role with a policy that grants specific access adheres to the principle of least privilege while avoiding hardcoding credentials. Options A and D are insecure as they involve storing sensitive information directly in code or environment variables, which increases the risk of exposure. Option B, while more secure than A and D, still involves static credentials that could lead to security vulnerabilities if not managed properly.