A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table.
The function is triggered whenever an object is stored within the S3 bucket. How should the Lambda function be given access to the DynamoDB table?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: D.
The ideal way is to create an IAM role that has the required permissions and then associate it with the Lambda function.
Option A is incorrect because it does not provide the required permission for the Lambda function.
Option B is incorrect because you need to attach the lAM policy to an IAM role and attach the role to the Lambda function.
Option C is incorrect because using IAM users and access keys is not recommended for giving access to applications.
IAM roles should be created for services to access other services in AWS (e.g., S3 and DynamoDB).
Option D is CORRECT because we need to create an IAM role with a policy providing access to DynamoDB and attach the role to the Lambda function.
This will allow Lambda to write metadata to DynamoDB when an object is stored in the S3 bucket.
The AWS Documentation additionally mentions the following.
Each Lambda function has an IAM role (execution role) associated with it.
You specify the IAM role when you create your Lambda function.
Permissions you grant to this role determine what AWS Lambda can do when it assumes the role.
There are two types of permissions that you grant to the IAM role:
If your Lambda function code accesses other AWS resources, such as reading an object from an S3 bucket or writing logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions the role.
AWS Lambda polls these streams on your behalf if the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams)
AWS Lambda needs permissions to poll the stream and read new records on the stream, so you need to grant the relevant permissions to this role.
For more information on the Lambda permission model, please visit the below URL https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html.
When an S3 object is stored in an S3 bucket, a Lambda function is triggered to read the object's metadata and store the metadata in a DynamoDB table. To give the Lambda function access to the DynamoDB table, there are different options available, but not all of them are equally suitable:
A. Create a VPC endpoint for DynamoDB within a VPC. Creating a VPC endpoint for DynamoDB within a VPC would allow the Lambda function to connect to DynamoDB without leaving the VPC, thereby improving security. However, this option is not necessary in this case since the Lambda function can access DynamoDB directly without requiring a VPC endpoint.
B. Configure the Lambda function to access resources in the VPC. This option would allow the Lambda function to access resources in the VPC, such as the DynamoDB table. However, this option is not necessary in this case since the DynamoDB table is not in a VPC.
C. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the policy to the DynamoDB table. This option would allow the Lambda function to write to the DynamoDB table by creating a resource policy that grants the Lambda function the necessary permissions to write to the table. The resource policy would need to be attached to the DynamoDB table to be effective. This option is the most suitable for this scenario.
D. Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables. This option would allow the Lambda function to write to the DynamoDB table by creating an IAM user with the necessary permissions to write to the table. The access key for the user would need to be stored in the Lambda environment variables for the Lambda function to use it. However, this option is not the best option since it requires the creation and management of an additional IAM user.
E. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function. This option would allow the Lambda function to write to the DynamoDB table by creating an IAM service role with the necessary permissions to write to the table. The service role would need to be associated with the Lambda function to be effective. This option is also suitable for this scenario but creating a resource policy is the simplest and most effective solution.
Therefore, the correct answer is C. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the policy to the DynamoDB table.