How should the developer configure AWS SAM to grant the necessary read privilege to the S3 bucket?
Reference a second Lambda authorizer function.
Add a custom S3 bucket policy to the Lambda function.
Create an Amazon Simple Queue Service (SQS) topic for only S3 object reads Reference the topic in the template.
Add the S3ReadPolicy template to the Lambda function’s execution role.
Explanations:
A Lambda authorizer is used for authorizing API Gateway requests, not for granting permissions to access S3. This option does not address the need for the Lambda function to read from the S3 bucket.
While a custom S3 bucket policy could be created to allow access, the best practice in AWS SAM is to manage permissions through the Lambda function’s execution role instead of creating separate bucket policies. This can complicate permissions management and is not the recommended approach in AWS SAM.
Creating an Amazon SQS topic for reading S3 objects is unnecessary and does not provide a direct way for the Lambda function to access S3. This option misrepresents the requirement, as the Lambda function can directly read from S3 without needing an SQS intermediary.
Adding the S3ReadPolicy to the Lambda function’s execution role is the correct approach, as it allows the Lambda function to have the necessary permissions to read objects from the specified S3 bucket. This method adheres to the principle of least privilege and simplifies permissions management.