AWS Certified Solutions Architect – Associate (SAA-C03) — Question 897

A company is building an application on AWS. The application uses multiple AWS Lambda functions to retrieve sensitive data from a single Amazon S3 bucket for processing. The company must ensure that only authorized Lambda functions can access the data. The solution must comply with the principle of least privilege.

Which solution will meet these requirements?

Answer options

• A. Grant full S3 bucket access to all Lambda functions through a shared IAM role.
• B. Configure the Lambda functions to run within a VPC. Configure a bucket policy to grant access based on the Lambda functions' VPC endpoint IP addresses.
• C. Create individual IAM roles for each Lambda function. Grant the IAM roles access to the S3 bucket. Assign each IAM role as the Lambda execution role for its corresponding Lambda function.
• D. Configure a bucket policy granting access to the Lambda functions based on their function ARNs.

Correct answer: C

Explanation

To adhere to the principle of least privilege, each AWS Lambda function should have its own dedicated IAM execution role containing only the permissions required for its specific task. Using a shared IAM role violates this principle by granting unnecessary access to functions that do not require it. Additionally, S3 bucket policies do not support Lambda function ARNs as principals, making individual execution roles the correct and secure implementation.