AWS Certified Solutions Architect – Associate (SAA-C03) — Question 392

A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.

What should a solutions architect do to grant the permissions?

Answer options

• A. Add required IAM permissions in the resource policy of the Lambda function.
• B. Create a signed request using the existing IAM credentials in the Lambda function.
• C. Create a new IAM user and use the existing IAM credentials in the Lambda function.
• D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

Correct answer: D

Explanation

To grant an AWS Lambda function permissions to interact with other AWS services like Amazon S3, AWS best practice is to associate an IAM execution role with the function. Hardcoding IAM user credentials inside function code or environment variables is a security risk and is discouraged. Resource policies for Lambda functions control invocation permissions from other services, rather than granting the function access to external resources.