Answer-first summary for fast verification
Answer: Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.
## Explanation **Correct Answer: D** - Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function. **Why this is correct:** 1. **Lambda Execution Role**: AWS Lambda functions require an IAM execution role that grants them permissions to interact with other AWS services. This is the standard and recommended approach for Lambda permissions. 2. **Best Practice**: Using IAM roles for Lambda functions follows the principle of least privilege and eliminates the need to manage credentials within the function code. 3. **Security**: IAM roles provide temporary credentials that are automatically rotated, which is more secure than hardcoding IAM user credentials. **Why other options are incorrect:** **A. Add required IAM permissions in the resource policy of the Lambda function.** - Lambda functions don't have "resource policies" in the same way as S3 buckets or other services. Lambda uses execution roles for permissions. **B. Create a signed request using the existing IAM credentials in the Lambda function.** - This is an anti-pattern. Hardcoding IAM user credentials in Lambda code is insecure because: - Credentials can be exposed in code repositories - Credentials don't rotate automatically - It violates AWS security best practices **C. Create a new IAM user and use the existing IAM credentials in the Lambda function.** - Similar to option B, this involves hardcoding credentials which is insecure and not recommended. - Creates unnecessary IAM users - Requires credential management - Doesn't leverage AWS's temporary credential system **Key AWS Concepts:** - **IAM Execution Role**: A role that Lambda assumes when it runs, granting it permissions to access AWS resources. - **Temporary Credentials**: AWS Security Token Service (STS) provides temporary credentials that are automatically managed by Lambda. - **Principle of Least Privilege**: Grant only the permissions needed for the specific task (S3 upload in this case). **Implementation Steps:** 1. Create an IAM role with the `AWSLambdaBasicExecutionRole` policy for CloudWatch logs. 2. Attach an inline policy or managed policy (like `AmazonS3FullAccess` or a custom policy with specific S3 permissions) to the role. 3. Configure the Lambda function to use this execution role. 4. The Lambda function will then have the necessary permissions to upload files to S3 without any hardcoded credentials.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.
What should a solutions architect do to grant the permissions?
A
Add required IAM permissions in the resource policy of the Lambda function.
B
Create a signed request using the existing IAM credentials in the Lambda function.
C
Create a new IAM user and use the existing IAM credentials in the Lambda function.
D
Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.