Q16 — AWS DVA-C02 Ch.1

Question 16 of 100 | ← Chapter 1

A developer’s code is stored in an Amazon S3 bucket. The code must be deployed as an AWS Lambda function in the same AWS Region but in a different account. Each account will execute an AWS CloudFormation template to deploy the Lambda function. What is the most secure way to allow CloudFormation to access the Lambda code in the S3 bucket?

Correct Answer: A. Grant the CloudFormation service role S3 ListBucket and GetObject permissions. Add a bucket policy in Amazon S3 with principal 'AWS' containing the account number.

Explanation

Option A is the most secure approach: it grants least-privilege permissions (ListBucket and GetObject) only to the CloudFormation service role, and the S3 bucket policy restricts access to a specific AWS account via the 'AWS' principal with the exact account number—preventing unauthorized cross-account access. Option B uses principal '*', allowing any AWS principal access, violating least privilege. Options C and D incorrectly assign S3 permissions to the Lambda function (not CloudFormation) and misuse service-linked roles or wildcards, compromising security. Thus, Option A is correct.