AWS Certified Solutions Architect – Associate (SAA-C02) — Question 620

A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.
What should a solutions architect do to grant the permissions?

Answer options

• A. Add required IAM permissions in the resource policy of the Lambda function.
• B. Create a signed request using the existing IAM credentials in the Lambda function.
• C. Create a new IAM user and use the existing IAM credentials in the Lambda function.
• D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

Correct answer: D

Explanation

To allow an AWS Lambda function to interact with other AWS services like Amazon S3, you must assign it an IAM execution role that grants the necessary permissions. Hardcoding or using IAM user credentials inside the function (as in options B and C) is a major security risk and goes against AWS best practices. Resource-based policies (option A) are used to grant other services or accounts permission to invoke the Lambda function, not to grant the Lambda function permission to access other resources.