AWS Certified Security – Specialty — Question 390

A company’s data is encrypted in an Amazon S3 bucket by an AWS Key Management Service (AWS KMS) customer managed key. The company has AWS Lambda functions that run in the same account as the S3 bucket. The Lambda functions need to access the data in the S3 bucket. A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key.

What should the security engineer do to meet this requirement?

Answer options

• A. Create Lambda IAM users for each Lambda function. Attach an IAM policy that includes specific access permissions to use the KMS key.
• B. Create a key grant for the Lambda service principal. Add or remove specific access permissions to use the KMS key.
• C. Create a Lambda execution role that provides specific access permissions to use the KMS key for each Lambda function.
• D. Configure each Lambda function to assume an IAM role that provides specific access permissions to use the AWS managed KMS key for Amazon S3.

Correct answer: C

Explanation

To enforce granular, per-function access controls, the security engineer should create a unique AWS Lambda execution role for each function and grant it specific permissions to use the customer managed KMS key. Using execution roles is the standard and secure way to delegate permissions to Lambda functions. Options involving IAM users, a single service-wide grant, or the AWS managed KMS key do not meet the requirement of individual programmatic access control for a customer managed key.