AWS Certified Solutions Architect – Associate (SAA-C02) — Question 361

An engineering team is developing and deploying AWS Lambda functions. The team needs to create roles and manage policies in AWS IAM to configure the permissions of the Lambda functions.
How should the permissions for the team be configured so they also adhere to the concept of least privilege?

Answer options

• A. Create an IAM role with a managed policy attached. Allow the engineering team and the Lambda functions to assume this role.
• B. Create an IAM group for the engineering team with an IAMFullAccess policy attached. Add all the users from the team to this IAM group.
• C. Create an execution role for the Lambda functions. Attach a managed policy that has permission boundaries specific to these Lambda functions.
• D. Create an IAM role with a managed policy attached that has permission boundaries specific to the Lambda functions. Allow the engineering team to assume this role.

Correct answer: D

Explanation

Option D is correct because using permissions boundaries allows the engineering team to create and manage execution roles for Lambda functions without being granted full administrator privileges. This ensures they can only delegate permissions that fall within the specified boundary, preventing privilege escalation. Options A and B violate the principle of least privilege by sharing roles or granting full access, while Option C fails to address the permissions configuration needed by the engineering team to manage the roles.