AWS Certified Developer – Associate (DVA-C02) — Question 433

A developer is automating a new application deployment with AWS Serverless Application Model (AWS SAM). The new application has one AWS Lambda function and one Amazon S3 bucket. The Lambda function must access the S3 bucket to only read objects.

How should the developer configure AWS SAM to grant the necessary read privilege to the S3 bucket?

Answer options

• A. Reference a second Lambda authorizer function.
• B. Add a custom S3 bucket policy to the Lambda function.
• C. Create an Amazon Simple Queue Service (SQS) topic for only S3 object reads. Reference the topic in the template.
• D. Add the S3ReadPolicy template to the Lambda function's execution role.

Correct answer: D

Explanation

AWS SAM provides a set of pre-defined policy templates, such as S3ReadPolicy, which can be easily added to a Lambda function's execution role to grant specific permissions to AWS resources. Using these built-in templates simplifies template definition and follows the principle of least privilege. Other options, such as using Lambda authorizers or SQS queues, do not directly resolve the Lambda function's need for S3 read permissions.