AWS Certified Security – Specialty (SCS-C02) — Question 14

A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.
Which solutions will provide the Lambda function this access? (Choose two.)

Answer options

• A. Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the access key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.
• B. Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Manager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.
• C. Create an IAM role for the Lambda function. Attach an IAM policy that allows access to the S3 bucket.
• D. Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the principal.
• E. Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the security group ID.

Correct answer: C, D

Explanation

The correct answers are C and D because creating an IAM role with appropriate permissions (C) and using a bucket policy that specifies the IAM role as the principal (D) are standard practices for granting access to AWS resources like S3 from Lambda functions. Options A and B involve using access keys or private keys, which are not recommended for Lambda functions due to security risks, while option E incorrectly relies on a security group, which does not apply to S3 access control.