Answer-first summary for fast verification
Answer: Assign S3 ListBucket and GetObject permissions to the CloudFormation service role and set an S3 bucket policy for specified AWS account numbers.
Option A is the most secure way to allow CloudFormation to access the Lambda code in the S3 bucket. Granting the CloudFormation service role the necessary S3 ListBucket and GetObject permissions provides the required access, and specifying the account numbers in the S3 bucket policy ensures that only those specific accounts can access the Lambda code. This approach adheres to the principle of least privilege and avoids using overly broad permissions such as wildcard principals, which could expose the bucket to unauthorized access.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
How can CloudFormation access Lambda code stored in an S3 bucket securely across multiple accounts within the same AWS Region?
A
Assign S3 ListBucket and GetObject permissions to the CloudFormation service role and set an S3 bucket policy for specified AWS account numbers.
B
Assign S3 GetObject permission to the CloudFormation service role and apply a bucket policy with a wildcard principal.
C
Establish a service-based policy granting the Lambda function S3 ListBucket and GetObject permissions, specifying the S3 bucket's account number.
D
Create a service-based policy for the Lambda function to access the S3 bucket with a wildcard resource for S3 GetObject permission.
No comments yet.