DVA-C02 · Question #436
A developer is automating a new application deployment with AWS Serverless Application Model (AWS SAM). The new application has one AWS Lambda function and one Amazon S3 bucket. The Lambda function mu
The correct answer is D. Add the S3ReadPolicy template to the Lambda function's execution role.. AWS SAM provides pre-built IAM policy templates such as S3ReadPolicy that can be attached directly to a Lambda function's execution role, granting scoped S3 read access with minimal configuration.
Question
A developer is automating a new application deployment with AWS Serverless Application Model (AWS SAM). The new application has one AWS Lambda function and one Amazon S3 bucket. The Lambda function must access the S3 bucket to only read objects. How should the developer configure AWS SAM to grant the necessary read privilege to the S3 bucket?
Options
- AReference a second Lambda authorizer function.
- BAdd a custom S3 bucket policy to the Lambda function.
- CCreate an Amazon Simple Queue Service (SQS) topic for only S3 object reads. Reference the
- DAdd the S3ReadPolicy template to the Lambda function's execution role.
How the community answered
(68 responses)- A15% (10)
- B3% (2)
- C7% (5)
- D75% (51)
Why each option
AWS SAM provides pre-built IAM policy templates such as S3ReadPolicy that can be attached directly to a Lambda function's execution role, granting scoped S3 read access with minimal configuration.
A Lambda authorizer is an API Gateway feature used to authenticate API requests; it has no role in granting a Lambda function permissions to access S3.
An S3 bucket policy controls who can access the bucket from outside, but the correct mechanism for granting a Lambda function access is through the function's IAM execution role, not a bucket policy attached to the function.
Amazon SQS is a message queuing service and has no relevance to granting or limiting a Lambda function's read access to an S3 bucket.
AWS SAM policy templates like S3ReadPolicy are shorthand IAM policies that SAM expands into full IAM policy documents during deployment. Adding S3ReadPolicy under the function's Policies property in the SAM template automatically grants the Lambda execution role the s3:GetObject and related read permissions on the specified bucket, following the principle of least privilege.
Concept tested: AWS SAM policy templates for Lambda S3 read access
Source: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html
Community Discussion
No community discussion yet for this question.