Amazon SAA-C02: Solution to grant the permissions to upload files.

Table of Contents

Question
Answer
Explanation
Reference

Question

A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.

What should a solutions architect do to grant the permissions?

A. Add required IAM permissions in the resource policy of the Lambda function.
B. Create a signed request using the existing IAM credentials in the Lambda function.
C. Create a new IAM user and use the existing IAM credentials in the Lambda function.
D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

Answer

D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

Explanation

To grant the necessary permissions for a developer’s application to upload files to Amazon S3 using an AWS Lambda function, a solutions architect should take the following step:

D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

Explanation:

AWS Lambda functions require an IAM execution role to define the permissions they have when interacting with AWS services. By creating an IAM execution role and assigning it to the Lambda function, the developer will have the necessary permissions to upload files to Amazon S3.

Here’s a comprehensive explanation of why this option is the correct choice:

A. Adding required IAM permissions in the resource policy of the Lambda function:
Resource policies are used to manage permissions for accessing specific resources. However, in this case, the resource policy of the Lambda function is not the appropriate place to grant permissions for Amazon S3. Resource policies are typically used when you want to control access to the Lambda function itself, not the resources it interacts with.

B. Creating a signed request using the existing IAM credentials in the Lambda function:
Creating a signed request is typically used when you want to grant temporary access to specific AWS services or resources to a third party. While it can be a valid approach in some scenarios, it is not the most appropriate solution in this case. It would require additional code and complexity to create signed requests using IAM credentials.

C. Creating a new IAM user and using the existing IAM credentials in the Lambda function:
Creating a new IAM user is not necessary in this scenario. The developer already has an IAM user with valid IAM credentials, so there is no need to create a new one. Utilizing the existing IAM credentials would be a more efficient approach.

D. Creating an IAM execution role with the required permissions and attaching the IAM role to the Lambda function:
This is the correct approach. By creating an IAM execution role, the solutions architect can define and assign the necessary permissions for the Lambda function to upload files to Amazon S3. The IAM role will have specific policies attached that grant access to the required S3 operations. Then, the IAM role is attached to the Lambda function, allowing it to assume the role and perform the required actions on S3.

In summary, the solutions architect should create an IAM execution role with the appropriate permissions and attach it to the Lambda function to grant the necessary permissions for uploading files to Amazon S3. This approach ensures that the developer can securely and efficiently interact with S3 without the need for additional IAM user credentials or complex resource policies.

Reference

Amazon AWS Certified Solutions Architect – Associate SAA-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C02 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C02 certification.