AWS Certified Developer – Associate — Question 439

A developer is writing an AWS Lambda function. The Lambda function needs to access items that are stored in an Amazon DynamoDB table.
What is the MOST secure way to configure this access for the Lambda function?

Answer options

• A. Create an IAM user that has permissions to access the DynamoDB table. Create an access key for this user. Store the access key ID and secret access key in the Lambda function environment variables.
• B. Add a resource-based policy to the DynamoDB table to allow access from the Lambda function's IAM role.
• C. Create an IAM policy that allows access to the DynamoDB table. Attach this policy to the Lambda function's IAM role.
• D. Create a DynamoDB Accelerator (DAX) cluster. Configure the Lambda function to use the DAX duster to access the DynamoDB table.

Correct answer: C

Explanation

The most secure way to grant an AWS Lambda function access to other AWS resources is by using an IAM execution role with an attached policy containing the necessary permissions. DynamoDB does not support resource-based policies, making Option B invalid, and storing long-term IAM user credentials in environment variables as in Option A is a security risk. Option D introduces a caching service (DAX) but does not resolve the underlying authentication and authorization requirements.