AWS Certified Solutions Architect – Associate (SAA-C02) — Question 489

A company has an AWS Lambda function that needs read access to an Amazon S3 bucket that is located in the same AWS account.
Which solution will meet these requirements in the MOST secure manner?

Answer options

• A. Apply an S3 bucket policy that grants read access to the S3 bucket.
• B. Apply an IAM role to the Lambda function. Apply an IAM policy to the role to grant read access to the S3 bucket.
• C. Embed an access key and a secret key in the Lambda function's code to grant the required IAM permissions for read access to the S3 bucket.
• D. Apply an IAM role to the Lambda function. Apply an IAM policy to the role to grant read access to all S3 buckets in the account.

Correct answer: B

Explanation

Assigning an IAM role with a least-privilege IAM policy directly to the Lambda function is the most secure method because it avoids hardcoded credentials and limits access only to the required S3 bucket. Hardcoding access keys (Option C) is a major security risk, while granting access to all S3 buckets (Option D) violates the principle of least privilege. Using an S3 bucket policy alone (Option A) is not the standard or most secure practice for granting internal account permissions to an execution identity like Lambda.