nerdexam
ExamsDVA-C02Questions#299
AmazonAmazon

DVA-C02 · Question #299

DVA-C02 Question #299: Real Exam Question with Answer & Explanation

The correct answer is B: Create an IAM role for the Lambda function. Attach the existing IAM policy to the role. Attach the. Option B is correct because AWS Lambda functions should always use IAM roles (called "execution roles") to access other AWS services - roles provide temporary, automatically rotated credentials that are securely injected into the function at runtime, following the principle of le

Submitted by valeria.br· Mar 5, 2026Security

Question

An AWS Lambda function requires read access to an Amazon S3 bucket and requires read/write access to an Amazon DynamoDB table. The correct IAM policy already exists. What is the MOST secure way to grant the Lambda function access to the S3 bucket and the DynamoDB table?

Options

  • AAttach the existing IAM policy to the Lambda function.
  • BCreate an IAM role for the Lambda function. Attach the existing IAM policy to the role. Attach the
  • CCreate an IAM user with programmatic access. Attach the existing IAM policy to the user. Add the
  • DAdd the AWS account root user access key ID and secret access key as encrypted environment

Explanation

Option B is correct because AWS Lambda functions should always use IAM roles (called "execution roles") to access other AWS services - roles provide temporary, automatically rotated credentials that are securely injected into the function at runtime, following the principle of least privilege.

Option A is wrong because IAM policies cannot be attached directly to Lambda functions; policies must be attached to an identity (user, group, or role) - Lambda's identity is an IAM role.

Option C is wrong because creating an IAM user with programmatic access keys for a Lambda function is a security anti-pattern: long-lived static credentials must be manually rotated, are at risk of exposure, and are unnecessary when roles provide the same access more securely.

Option D is wrong because using the root account's access keys is the most dangerous possible approach - the root user has unrestricted access to everything in the account, violating least privilege, and hardcoding credentials (even encrypted) in environment variables is a credential management risk.

Memory tip: Think "Lambda = Role, Human = User." AWS services always authenticate via IAM roles (temporary credentials), while human operators use IAM users. If you see a question about granting an AWS service access to another AWS service, the answer almost always involves an IAM role.

Topics

#IAM Roles#Lambda Permissions#Security Best Practices#AWS Services Integration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DVA-C02 PracticeBrowse All DVA-C02 Questions