A company’s data is encrypted in an Amazon S3 bucket by an AWS Key Management Service (AWS KMS) customer managed key. The company has AWS Lambda functions that run in the same account as the S3 bucket. The Lambda functions need to access the data in the S3 bucket. A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key. What should the security engineer do to meet this requirement?

Topic #: - All AWS Certified Security - Specialty Questions

A. Create Lambda IAM users for each Lambda function. Attach an IAM policy that includes specific access permissions to use the KMS key.
B. Create a key grant for the Lambda service principal. Add or remove specific access permissions to use the KMS key.
C. Create a Lambda execution role that provides specific access permissions to use the KMS key for each Lambda function.
D. Configure each Lambda function to assume an IAM role that provides specific access permissions to use the AWS managed KMS key for Amazon S3.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Reference Material:

Suggested Answer:

Reference Material:

Share this post

Join the Discussion