nerdexam
Amazon

DVA-C02 · Question #181

A developer has code that is stored in an Amazon S3 bucket. The code must be deployed as an AWS Lambda function across multiple accounts in the same AWS Region as the S3 bucket. An AWS CloudFormation

The correct answer is A. Grant the CloudFormation service role the S3 ListBucket and GetObject permissions. Add a. Option (A) is the safest way to allow CloudFormation to access the Lambda code in the S3 bucket because it limits access to the specific accounts that need to deploy the Lambda functions. The bucket policy grants S3 ListBucket and GetObject permissions to the CloudFormation servi

Submitted by jaden.t· Mar 5, 2026Security

Question

A developer has code that is stored in an Amazon S3 bucket. The code must be deployed as an AWS Lambda function across multiple accounts in the same AWS Region as the S3 bucket. An AWS CloudFormation template that runs for each account will deploy the Lambda function. What is the MOST secure way to allow CloudFormation to access the Lambda code in the S3 bucket?

Options

  • AGrant the CloudFormation service role the S3 ListBucket and GetObject permissions. Add a
  • BGrant the CloudFormation service role the S3 GetObject permission. Add a bucket policy to
  • CUse a service-based link to grant the Lambda function the S3 ListBucket and GetObject
  • DUse a service-based link to grant the Lambda function the S3 GetObject permission. Add a

How the community answered

(24 responses)
  • A
    54% (13)
  • B
    8% (2)
  • C
    25% (6)
  • D
    13% (3)

Explanation

Option (A) is the safest way to allow CloudFormation to access the Lambda code in the S3 bucket because it limits access to the specific accounts that need to deploy the Lambda functions. The bucket policy grants S3 ListBucket and GetObject permissions to the CloudFormation service role only for the accounts specified in the principal.

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice