AWS Certified Solutions Architect – Associate (SAA-C03) — Question 305

A company has an AWS Lambda function that needs read access to an Amazon S3 bucket that is located in the same AWS account.

Which solution will meet these requirements in the MOST secure manner?

Answer options

• A. Apply an S3 bucket policy that grants read access to the S3 bucket.
• B. Apply an IAM role to the Lambda function. Apply an IAM policy to the role to grant read access to the S3 bucket.
• C. Embed an access key and a secret key in the Lambda function’s code to grant the required IAM permissions for read access to the S3 bucket.
• D. Apply an IAM role to the Lambda function. Apply an IAM policy to the role to grant read access to all S3 buckets in the account.

Correct answer: B

Explanation

Assigning an IAM execution role directly to the AWS Lambda function with a policy restricted to the specific Amazon S3 bucket follows the security principle of least privilege. Hardcoding AWS credentials in the code (Option C) is highly insecure, while granting access to all buckets (Option D) is overly permissive. Using a bucket policy alone (Option A) without an execution role does not properly grant the Lambda function identity-based permissions to perform the action.