AWS Certified Developer – Associate — Question 188

An AWS Lambda function requires read access to an Amazon S3 bucket and requires read/write access to an Amazon DynamoDB table. The correct IAM policy already exists.

What is the MOST secure way to grant the Lambda function access to the S3 bucket and the DynamoDB table?

Answer options

• A. Attach the existing IAM policy to the Lambda function.
• B. Create an IAM role for the Lambda function. Attach the existing IAM policy to the role. Attach the role to the Lambda function.
• C. Create an IAM user with programmatic access. Attach the existing IAM policy to the user. Add the user access key ID and secret access key as environment variables in the Lambda function.
• D. Add the AWS account root user access key ID and secret access key as encrypted environment variables in the Lambda function.

Correct answer: B

Explanation

Creating an IAM role for the Lambda function and attaching the existing IAM policy to that role is the most secure approach because it adheres to the principle of least privilege and avoids hardcoding sensitive credentials. Options A, C, and D expose security risks by either directly linking the policy to the function without a role or using IAM user/root credentials, which can lead to potential misuse.