Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 640 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 640
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS Key Management Service (AWS KMS) keys. A solutions architect needs to design a solution that will ensure the required permissions are set correctly.

Which combination of actions accomplish this? (Choose two.)

  • A. Attach the kms:decrypt permission to the Lambda function’s resource policy
  • B. Grant the decrypt permission for the Lambda IAM role in the KMS key's policy
  • C. Grant the decrypt permission for the Lambda resource policy in the KMS key's policy.
  • D. Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.
  • E. Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function.
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by potomac at Nov. 7, 2023, 2:48 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
NickGordon
Highly Voted 1 year ago
Selected Answer: BE
BE is right. The key policy has to be modified to give lambda execution role access. You can't set another resource policy as principle. So C is not right
upvoted 7 times
...
1166ae3
Most Recent 4 months, 2 weeks ago
Selected Answer: BD
E is wrong, AWS Lambda function can hold only one IAM role. This role is known as the execution role. What we should do is: creating an IAM policy that allows the kms:Decrypt action and attach it to the Lambda function’s execution role.
upvoted 1 times
...
cjace
5 months, 1 week ago
B D - The combination of Option B (Grant the decrypt permission for the Lambda IAM role in the KMS key's policy) and Option D (Create a new IAM policy with the kms permission and attach the policy to the Lambda function) ensures that both the IAM role used by the Lambda function and the KMS key policy are correctly configured to allow decryption of the files. This setup meets the security requirements and ensures the Lambda function can perform its tasks without issues.
upvoted 1 times
...
wizcloudifa
6 months, 1 week ago
Selected Answer: BE
when it comes to permissions look for the "IAM ROLE" word, lambda would need a role to decrypt the s3 object, only roles can be attached to a function not policies
upvoted 2 times
...
1Alpha1
9 months, 2 weeks ago
Selected Answer: BE
B. Grant the decrypt permission for the Lambda ***IAM ROLE*** in the KMS key's policy E. Create a new ***IAM ROLE*** with the kms:decrypt permission and attach the execution role to the Lambda function.
upvoted 3 times
...
awsgeek75
10 months, 1 week ago
Selected Answer: BE
AC are resource policy, i.e. who can use lambda. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html D: The wording is confusing so it sort of sounds as if it is correct but you cannot attach a policy to a function.
upvoted 1 times
...
pentium75
10 months, 3 weeks ago
Selected Answer: BE
Not A and C because they are about function's "resource policy" which controls who can manage the function, NOT what the function can do. Not D because you attach an IAM policy to an IAM principal, not to a Lambda function.
upvoted 3 times
...
TariqKipkemei
11 months, 3 weeks ago
Selected Answer: BE
Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function then grant the decrypt permission for the Lambda IAM role in the KMS key's policy
upvoted 2 times
...
louisaok
1 year ago
Selected Answer: CE
CE is right
upvoted 1 times
pentium75
10 months, 3 weeks ago
No, the "Lambda resource policy" is about who can manage the Lambda function
upvoted 1 times
...
...
potomac
1 year ago
Selected Answer: DE
DE? Create an IAM role for the Lambda function that also grants decryption permission to the S3 bucket. Configure the IAM role as the Lambda functions execution role. To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. https://repost.aws/knowledge-center/lambda-execution-role-s3-bucket https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html
upvoted 1 times
potomac
1 year ago
change to CE C. Grant the decrypt permission for the Lambda resource policy in the KMS key's policy. E. Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
upvoted 2 times
pentium75
10 months, 3 weeks ago
C is about the "Lambda resource policy", who can manage the function.
upvoted 1 times
...
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel