A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table.
The function is triggered whenever an object is stored within the S3 bucket. How should the Lambda function be given access to the DynamoDB table?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer is D.
Option A is incorrect because you only use this option when you are trying to access DynamoDB from a VPC.Option B is incorrect because you need to attach an lAM policy and not a service policy.
Option C is incorrect because using IAM users and access keys is a bad practice for giving access to applications.
Option D is CORRECT because the ideal way is to create an IAM role that has the required permissions and then associate it with the Lambda function.
The IAM role will have all the necessary permissions for secure access to AWS resources.
The AWS Documentation additionally mentions the following:
Each Lambda function has an IAM role (execution role) associated with it.
You specify the IAM role when you create your Lambda function.
Permissions you grant to this role determine what AWS Lambda can do when it assumes the role.
For more information on the Lambda permission model, please visit the below URL https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html.
The correct answer is E - Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
Explanation: When a Lambda function is triggered, it assumes an execution role that provides permissions for the function to access other resources. In this case, the function needs to write to a DynamoDB table, so it needs an execution role with permissions to do so.
Option A, creating a VPC endpoint for DynamoDB within a VPC, is not necessary for accessing DynamoDB from a Lambda function.
Option B, configuring the Lambda function to access resources in the VPC, is not relevant to the question, as it is not mentioned that the DynamoDB table is in a VPC.
Option C, creating a resource policy that grants the Lambda function permissions to write to the DynamoDB table and attaching the policy to the DynamoDB table, is not the best option because it's not recommended to give access to a Lambda function directly to a DynamoDB table. Instead, a role should be used to manage the permissions.
Option D, creating an IAM user with permissions to write to the DynamoDB table and storing an access key for that user in the Lambda environment variables, is not recommended because storing access keys in environment variables poses a security risk.
Option E, creating an IAM service role with permissions to write to the DynamoDB table and associating that role with the Lambda function, is the recommended approach. A service role is an AWS Identity and Access Management (IAM) role that allows AWS services to interact with other AWS resources on your behalf. The service role can be associated with the Lambda function at the time of creation or after the function is created.
Therefore, the correct approach is to create an IAM service role with permissions to write to the DynamoDB table and associate that role with the Lambda function.