Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 640 discussion

BE is right. The key policy has to be modified to give lambda execution role access. You can't set another resource policy as principle. So C is not right

BE, IAM role act as the agent between lambda function and KMS

E is wrong, AWS Lambda function can hold only one IAM role. This role is known as the execution role. What we should do is: creating an IAM policy that allows the kms:Decrypt action and attach it to the Lambda function’s execution role.

B D - The combination of Option B (Grant the decrypt permission for the Lambda IAM role in the KMS key's policy) and Option D (Create a new IAM policy with the kms permission and attach the policy to the Lambda function) ensures that both the IAM role used by the Lambda function and the KMS key policy are correctly configured to allow decryption of the files. This setup meets the security requirements and ensures the Lambda function can perform its tasks without issues.

when it comes to permissions look for the "IAM ROLE" word, lambda would need a role to decrypt the s3 object, only roles can be attached to a function not policies

B. Grant the decrypt permission for the Lambda ***IAM ROLE*** in the KMS key's policy E. Create a new ***IAM ROLE*** with the kms:decrypt permission and attach the execution role to the Lambda function.

AC are resource policy, i.e. who can use lambda. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html D: The wording is confusing so it sort of sounds as if it is correct but you cannot attach a policy to a function.

Not A and C because they are about function's "resource policy" which controls who can manage the function, NOT what the function can do. Not D because you attach an IAM policy to an IAM principal, not to a Lambda function.

Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function then grant the decrypt permission for the Lambda IAM role in the KMS key's policy

CE is right

DE? Create an IAM role for the Lambda function that also grants decryption permission to the S3 bucket. Configure the IAM role as the Lambda functions execution role. To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. https://repost.aws/knowledge-center/lambda-execution-role-s3-bucket https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html