AWS Certified Developer – Associate (DVA-C02) — Question 302

An AWS Lambda function requires read access to an Amazon S3 bucket and requires read/write access to an Amazon DynamoDB table. The correct IAM policy already exists.

What is the MOST secure way to grant the Lambda function access to the S3 bucket and the DynamoDB table?

Answer options

• A. Attach the existing IAM policy to the Lambda function.
• B. Create an IAM role for the Lambda function. Attach the existing IAM policy to the role. Attach the role to the Lambda function.
• C. Create an IAM user with programmatic access. Attach the existing IAM policy to the user. Add the user access key ID and secret access key as environment variables in the Lambda function.
• D. Add the AWS account root user access key ID and secret access key as encrypted environment variables in the Lambda function.

Correct answer: B

Explanation

Using an IAM execution role is the AWS-recommended best practice for granting permissions to Lambda functions because it utilizes temporary credentials that automatically rotate. Directly attaching policies to a Lambda function is not supported, as policies must be attached to an identity like an IAM role. Storing long-term credentials, such as IAM user or root user access keys, in environment variables violates the principle of least privilege and introduces unnecessary security risks.