nerdexam
ExamsSAA-C03Questions#581
AmazonAmazon

SAA-C03 · Question #581

SAA-C03 Question #581: Real Exam Question with Answer & Explanation

The correct answer is C: Create individual IAM roles for each Lambda function. Grant the IAM roles access to the S3. An application uses multiple AWS Lambda functions to access sensitive data in an S3 bucket, requiring authorization only for specific Lambda functions adhering to the principle of least privilege.

Submitted by hassan_iq· Mar 4, 2026Design Secure Architectures

Question

A company is building an application on AWS. The application uses multiple AWS Lambda functions to retrieve sensitive data from a single Amazon S3 bucket for processing. The company must ensure that only authorized Lambda functions can access the data. The solution must comply with the principle of least privilege. Which solution will meet these requirements?

Options

  • AGrant full S3 bucket access to all Lambda functions through a shared IAM role.
  • BConfigure the Lambda functions to run within a VPC. Configure a bucket policy to grant access
  • CCreate individual IAM roles for each Lambda function. Grant the IAM roles access to the S3
  • DConfigure a bucket policy granting access to the Lambda functions based on their function ARNs.

Explanation

An application uses multiple AWS Lambda functions to access sensitive data in an S3 bucket, requiring authorization only for specific Lambda functions adhering to the principle of least privilege.

Common mistakes.

  • A. Granting full S3 bucket access to all Lambda functions through a shared IAM role violates the principle of least privilege, as it provides excessive permissions beyond what each function might need, increasing the blast radius in case of a security compromise.
  • B. Configuring Lambda functions within a VPC and using a bucket policy for VPC endpoint access enhances network security by restricting access to a private endpoint. However, it does not provide granular authorization at the individual Lambda function level, thus failing to enforce the principle of least privilege for specific function access to data.
  • D. While a bucket policy can grant access based on Lambda function ARNs, using IAM roles is the standard and recommended practice for assigning permissions to AWS services like Lambda. IAM roles offer a clearer and more robust mechanism for managing execution permissions and auditing compared to embedding function-specific permissions directly in a bucket policy for multiple functions.

Concept tested. IAM roles, least privilege, S3 bucket access control

Reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAA-C03 PracticeBrowse All SAA-C03 Questions