AWS Certified Solutions Architect - Associate

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has an AWS Lambda function that needs read access to an Amazon S3 bucket that is located in the same AWS account.

Which solution will meet these requirements in the MOST secure manner?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Apply an S3 bucket policy that grants read access to the S3 bucket.

Apply an IAM role to the Lambda function. Apply an IAM policy to the role to grant read access to the S3 bucket.

Embed an access key and a secret key in the Lambda function's code to grant the required IAM permissions for read access to the S3 bucket.

Apply an IAM role to the Lambda function. Apply an IAM policy to the role to grant read access to all S3 buckets in the account.

Explanation:

Explanation

Correct Answer: B

Why Option B is the MOST secure:

Principle of Least Privilege: By attaching an IAM role to the Lambda function with a specific policy granting read access only to the required S3 bucket, you follow the principle of least privilege. The Lambda function gets only the permissions it needs, nothing more.
Temporary Credentials: IAM roles provide temporary security credentials that are automatically rotated by AWS. This is more secure than long-lived credentials.
No Hard-coded Credentials: Unlike option C, there are no access keys or secret keys embedded in the code, which could be exposed through code repositories or logging.
Granular Control: The IAM policy can be scoped precisely to the specific bucket and operations needed.

Why other options are less secure:

Option A (S3 bucket policy): While this could work, it's less secure because bucket policies grant access at the bucket level and might be too broad. Also, managing permissions through IAM roles is generally preferred for Lambda functions as it follows AWS best practices for serverless applications.
Option C (Embed credentials): This is the LEAST secure approach. Hard-coding credentials in code is a major security anti-pattern because:
- Credentials can be exposed in source code repositories
- Credentials are long-lived and need manual rotation
- If compromised, they provide direct access to AWS resources
- Violates AWS security best practices
Option D (Grant access to all S3 buckets): This violates the principle of least privilege by granting overly broad permissions. The Lambda function would have read access to ALL S3 buckets in the account, which is unnecessary and creates a security risk.