How should the developer configure the permissions to adhere to the principle of least privilege?

By:
In: DVA-C02
Tagged:
With: 1 Comment
An AWS Lambda function is running in a company’s shared AWS account.The function needs to perform an additional ec2:DescribeInstances action that is directed at the company’s development accounts.A developer must configure the required permissions across the accounts.

How should the developer configure the permissions to adhere to the principle of least privilege?

Create an IAM role in the shared account. Add the ec2:DescribeInstances permission to the role. Establish a trust relationship between the development accounts for this role. Update the Lambda function IAM role in the shared account by adding the ec2:DescribeInstances permission to the role.

Create an IAM role in the development accounts. Add the ec2:DescribeInstances permission to the role. Establish a trust relationship with the shared account for this role. Update the Lambda function IAM role in the shared account by adding the iam:AssumeRole permissions.

Create an IAM role in the shared account. Add the ec2:DescribeInstances permission to the role. Establish a trust relationship between the development accounts for this role. Update the Lambda function IAM role in the shared account by adding the iam:AssumeRole permissions.

Create an IAM role in the development accounts. Add the ec2:DescribeInstances permission to the role. Establish a trust relationship with the shared account for this role. Update the Lambda function IAM role in the shared account by adding the ec2:DescribeInstances permission to the role.

Explanations:

This option suggests creating a role in the shared account with permissions to describe instances in development accounts. However, the Lambda function needs permission to access resources in the development accounts, which requires a trust relationship established from the development accounts.

This option correctly proposes creating an IAM role in the development accounts with the necessary permission (ec2). The role should establish a trust relationship with the shared account, allowing the Lambda function to assume the role, adhering to the principle of least privilege by granting access only to the required action in a limited scope.

This option also suggests creating a role in the shared account, but it does not provide access to the Lambda function in the shared account to the resources in the development accounts. The trust relationship should be established from the development accounts to the shared account for proper access.

While this option correctly suggests creating a role in the development accounts with the necessary permission, it incorrectly states that the Lambda function’s role in the shared account should have ec2permission. Instead, it should assume the role created in the development accounts to gain that permission, thus not adhering to least privilege for the Lambda function’s role.

2025-10-12

1 Comment

  1. Austin
    Author

    I systematize that the answer is:
    Create an IAM role in the development accounts. Add the ec2:DescribeInstances permission to the role. Establish a trust relationship with the shared account for this role. Update the Lambda function IAM role in the shared account by adding the iam:AssumeRole permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × three =