Logo
AWS Certified Developer – Associate / Question #723 of 557

Question #723

A developer has an AWS Lambda function code stored in an Amazon S3 bucket in Account A. The Lambda function needs to be deployed using AWS CloudFormation templates in multiple other accounts (Account B, C, D) within the same region. The CloudFormation stack in each account must retrieve the code from the S3 bucket in Account A.

What is the MOST secure method to enable CloudFormation in the target accounts to access the Lambda code package in the S3 bucket?

A

Create an IAM role in each target account with S3:GetObject and S3:ListBucket permissions. Attach a bucket policy on Account A's S3 bucket allowing access to the target accounts' CloudFormation service roles.
B

Grant the S3 bucket a policy with a principal of \"*\" allowing GetObject. Have each CloudFormation stack use an IAM role with GetObject permission.
C

Use a bucket policy on Account A's S3 bucket granting GetObject to the target accounts' AWS organizations. Configure each CloudFormation service role with ListBucket and GetObject permissions.
D

Create an IAM role in Account A that grants S3 access, and have each target account's CloudFormation assume this role using a service-based link.

Explanation

Answer A is correct because it uses a combination of IAM roles in the target accounts and a bucket policy in Account A to enable secure cross-account access. The IAM roles in each target account (B, C, D) grant S3:GetObject and S3:ListBucket permissions, ensuring CloudFormation can retrieve the Lambda code. The bucket policy in Account A explicitly allows access to these specific IAM roles, adhering to the principle of least privilege. This method avoids insecure practices like public access (as in Option B) and does not assume organizational relationships (as in Option C). Option D introduces unnecessary complexity by requiring cross-account role assumption, which is less efficient than direct bucket policy permissions. Key points: Use IAM roles for granular permissions in target accounts and bucket policies to grant cross-account access to specific resources.

Answer

The correct answer is: A