Q19 — AWS DVA-C02 Ch.3

Question 19 of 100 | ← Chapter 3

A development team is building an application on AWS Lambda that needs to access specific confidential objects in an Amazon S3 bucket. According to the principle of least privilege, the team must grant access to the S3 bucket using only temporary credentials. How should developers configure access to the S3 bucket in the most secure manner?

Correct Answer: C. Create an execution role for the Lambda function. Attach a policy granting permissions to access specific objects in the S3 bucket to that role.

Explanation

When handling highly confidential objects, security is the top priority. According to the principle of least privilege, applications should be granted only the minimum permissions necessary to perform their tasks. Let’s analyze each option: A hardcodes credentials in the application code, exposing them directly and making them vulnerable to malicious users or accidental leaks. B stores credentials securely in AWS Secrets Manager, which provides encryption and secure credential storage; the application retrieves secrets at runtime instead of using hardcoded credentials — a relatively secure approach. C configures an IAM execution role for the Lambda function, attaching a policy granting access to specific S3 objects — this is the recommended and most secure method because it uses temporary credentials automatically managed by AWS IAM and avoids long-term credentials entirely. D stores credentials as environment variables in Lambda, which is insecure because environment variables are visible in logs and configuration, increasing exposure risk. Therefore, the best practice is C.