Q19 — AWS DVA-C02 Ch.3
Question 19 of 100 | ← Chapter 3
A development team is building an application on AWS Lambda that needs to access specific confidential objects in an Amazon S3 bucket. According to the principle of least privilege, the team must grant access to the S3 bucket using only temporary credentials. How should developers configure access to the S3 bucket in the most secure manner?
- A. Hardcode the credentials required to access the S3 objects directly in the application code and use those credentials to access the required S3 objects.
- B. Create an access key ID and secret access key with permissions to access the S3 bucket. Store the key and key ID in AWS Secrets Manager. Configure the application to retrieve the secret from Secrets Manager and use the credentials to access the S3 objects.
- C. Create an execution role for the Lambda function. Attach a policy granting permissions to access specific objects in the S3 bucket to that role. ✓
- D. Create an access key ID and secret access key with permissions to access the S3 bucket. Store the key and key ID as environment variables in the Lambda function. Use the environment variables to access the required S3 objects.
Correct Answer: C. Create an execution role for the Lambda function. Attach a policy granting permissions to access specific objects in the S3 bucket to that role.
Explanation
When handling highly confidential objects, security is the top priority. According to the principle of least privilege, applications should be granted only the minimum permissions necessary to perform their tasks. Let’s analyze each option: A hardcodes credentials in the application code, exposing them directly and making them vulnerable to malicious users or accidental leaks. B stores credentials securely in AWS Secrets Manager, which provides encryption and secure credential storage; the application retrieves secrets at runtime instead of using hardcoded credentials — a relatively secure approach. C configures an IAM execution role for the Lambda function, attaching a policy granting access to specific S3 objects — this is the recommended and most secure method because it uses temporary credentials automatically managed by AWS IAM and avoids long-term credentials entirely. D stores credentials as environment variables in Lambda, which is insecure because environment variables are visible in logs and configuration, increasing exposure risk. Therefore, the best practice is C.