Question #979
A developer is automating a new application deployment with AWS Serverless Application Model (AWS SAM). The new application has one AWS Lambda function and one Amazon S3 bucket. The Lambda function must access the S3 bucket to only write objects.
How should the developer configure AWS SAM to grant the necessary write privilege to the S3 bucket?
Reference a second Lambda authorizer function.
Add a custom S3 bucket policy to the Lambda function.
Create an Amazon Simple Notification Service (SNS) topic for only S3 object writes. Reference the topic in the template.
Add the S3WritePolicy template to the Lambda function's execution role.
Explanation
Answer D is correct because AWS SAM provides managed policy templates (e.g., S3WritePolicy) to simplify IAM permissions. By adding S3WritePolicy to the Lambda function's execution role, the function gains write-only permissions (e.g., s3:PutObject) to the S3 bucket. This approach follows AWS best practices for serverless applications.
Other options are incorrect because:
- A: Lambda authorizers are for API Gateway authentication, unrelated to S3 permissions.
- B: While bucket policies can grant access, SAM focuses on execution role permissions, not bucket policies, for Lambda access.
- C: SNS topics handle event notifications, not direct write permissions.
Key Takeaway: Use AWS SAM's managed policies (e.g., S3WritePolicy) to grant least-privilege access to resources like S3 buckets.
Answer
The correct answer is: D