Topic 1 Question 166
A developer has code that is stored in an Amazon S3 bucket. The code must be deployed as an AWS Lambda function across multiple accounts in the same AWS Region as the S3 bucket. An AWS CloudFormation template that runs for each account will deploy the Lambda function.
What is the MOST secure way to allow CloudFormation to access the Lambda code in the S3 bucket?
Grant the CloudFormation service role the S3 ListBucket and GetObject permissions. Add a bucket policy to Amazon S3 with the principal of “AWS”: [account numbers].
Grant the CloudFormation service role the S3 GetObject permission. Add a bucket policy to Amazon S3 with the principal of “*”.
Use a service-based link to grant the Lambda function the S3 ListBucket and GetObject permissions by explicitly adding the S3 bucket’s account number in the resource.
Use a service-based link to grant the Lambda function the S3 GetObject permission. Add a resource of “*” to allow access to the S3 bucket.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: A
The correct answer is (A).
Option (A) is the safest way to allow CloudFormation to access the Lambda code in the S3 bucket because it limits access to the specific accounts that need to deploy the Lambda functions. The bucket policy grants S3 ListBucket and GetObject permissions to the CloudFormation service role only for the accounts specified in the principal.
👍 2Digo30sp2023/10/06 - 正解だと思う選択肢: A
Following ChatGPT 3.5, Option A is the best choice. I guess.
- Follows the principle of least privilege by granting only the necessary permissions (ListBucket and GetObject) to the CloudFormation service role.
- Adding a bucket policy with the principal of "AWS": [account numbers] restricts access to only the specified AWS accounts, providing a more secure access control mechanism.
- This ensures that only the CloudFormation service role in the specified AWS accounts can access the Lambda code in the S3 bucket.
👍 1TanTran042023/12/11
シャッフルモード