A company’s data is encrypted in an Amazon S3 bucket by an AWS Key Management Service (AWS KMS) customer managed key. The company has AWS Lambda functions that run in the same account as the S3 bucket. The Lambda functions need to access the data in the S3 bucket. A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key.
What should the security engineer do to meet this requirement?

A. Create Lambda IAM users for each Lambda function. Attach an IAM policy that includes specific access permissions to use the KMS key.

B. Create a key grant for the Lambda service principal. Add or remove specific access permissions to use the KMS key.

C. Create a Lambda execution role that provides specific access permissions to use the KMS key for each Lambda function.

D. Configure each Lambda function to assume an IAM role that provides specific access permissions to use the AWS managed KMS key for Amazon S3.








 

Suggested Answer: D

Community Answer: C




This question is in SCS-C01 AWS Certified Security – Specialty Exam
For getting AWS Certified Security – Specialty Certificate


Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Amazon.
Trademarks, certification & product names are used for reference only and belong to Amazon.
The website does not contain actual questions and answers from Amazon's Certification Exam.