What should the security engineer do to meet this requirement?

A company’s data is encrypted in an Amazon S3 bucket by an AWS Key Management Service (AWS KMS) customer managed key.The company has AWS Lambda functions that run in the same account as the S3 bucket.The Lambda functions need to access the data in the S3 bucket.A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key.

What should the security engineer do to meet this requirement?

Create Lambda IAM users for each Lambda function. Attach an IAM policy that includes specific access permissions to use the KMS key.

Create a key grant for the Lambda service principal. Add or remove specific access permissions to use the KMS key.

Create a Lambda execution role that provides specific access permissions to use the KMS key for each Lambda function.

Configure each Lambda function to assume an IAM role that provides specific access permissions to use the AWS managed KMS key for Amazon S3.

Explanations:

IAM users are not necessary for Lambda functions. Instead, Lambda functions should assume execution roles to interact with AWS services, including KMS.

A key grant for the Lambda service principal does not provide the needed programmatic access control for each individual Lambda function. Instead, the Lambda functions should be assigned specific permissions through execution roles.

Creating a Lambda execution role for each Lambda function allows specific access permissions to the KMS key for each function. This is the correct way to provide granular permissions for Lambda functions.

Assuming an IAM role is not necessary if each Lambda function already has an execution role. The correct approach is to directly configure the execution role with the specific permissions needed to access the KMS key.

Free study guides, practices test, sample questions

What should the security engineer do to meet this requirement?

Explanations:

1 Comment

Leave a Reply Cancel reply