Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 166 discussion

(CD) eliminated. service-based link is not supported by Lambda. (A) S3 ListBucket permission violates the principle of least privilege and therefore is not the most secure. Bucket policy to list principles of multiple accounts requires additional overhead. The list can change. (B) allows the CloudFormation service role to access the S3 bucket from any account, as long as it has the S3 GetObject permission. The bucket policy grants access to any principal with the GetObject permission, which is the least privilege needed to deploy the Lambda code.

A is the correct answer.

This approach is secure and provides a granular level of control. By granting the CloudFormation service role in each account the necessary S3 permissions and specifying the account numbers in the S3 bucket policy, you ensure that only the specified accounts can access the Lambda code. However, the ListBucket permission is not necessary if the CloudFormation template already knows the exact S3 object key.

Following ChatGPT 3.5, Option A is the best choice. I guess. - Follows the principle of least privilege by granting only the necessary permissions (ListBucket and GetObject) to the CloudFormation service role. - Adding a bucket policy with the principal of "AWS": [account numbers] restricts access to only the specified AWS accounts, providing a more secure access control mechanism. - This ensures that only the CloudFormation service role in the specified AWS accounts can access the Lambda code in the S3 bucket.

The correct answer is (A). Option (A) is the safest way to allow CloudFormation to access the Lambda code in the S3 bucket because it limits access to the specific accounts that need to deploy the Lambda functions. The bucket policy grants S3 ListBucket and GetObject permissions to the CloudFormation service role only for the accounts specified in the principal.