A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS Key Management Service (AWS KMS) keys. A solutions architect needs to design a solution that will ensure the required permissions are set correctly.
Which combination of actions accomplish this? (Choose two.)
To ensure the Lambda function has the required permissions to decrypt files using AWS KMS keys, you need to grant the decrypt permission to the IAM role that the Lambda function assumes. This can be done by modifying the KMS key's policy to include the Lambda IAM role with the decrypt permission. Additionally, creating a new IAM policy with the kms:decrypt permission and attaching it to the Lambda function's execution role ensures that the correct permissions are directly associated with the Lambda function itself. This setup ensures that the Lambda function has the necessary permissions to perform decryption as intended.
BE is right. The key policy has to be modified to give lambda execution role access. You can't set another resource policy as principle. So C is not right
Not A and C because they are about function's "resource policy" which controls who can manage the function, NOT what the function can do. Not D because you attach an IAM policy to an IAM principal, not to a Lambda function.
B. Grant the decrypt permission for the Lambda ***IAM ROLE*** in the KMS key's policy E. Create a new ***IAM ROLE*** with the kms:decrypt permission and attach the execution role to the Lambda function.
Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function then grant the decrypt permission for the Lambda IAM role in the KMS key's policy
DE? Create an IAM role for the Lambda function that also grants decryption permission to the S3 bucket. Configure the IAM role as the Lambda functions execution role. To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. https://repost.aws/knowledge-center/lambda-execution-role-s3-bucket https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html
change to CE C. Grant the decrypt permission for the Lambda resource policy in the KMS key's policy. E. Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
C is about the "Lambda resource policy", who can manage the function.
CE is right
No, the "Lambda resource policy" is about who can manage the Lambda function
AC are resource policy, i.e. who can use lambda. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html D: The wording is confusing so it sort of sounds as if it is correct but you cannot attach a policy to a function.
when it comes to permissions look for the "IAM ROLE" word, lambda would need a role to decrypt the s3 object, only roles can be attached to a function not policies
B D - The combination of Option B (Grant the decrypt permission for the Lambda IAM role in the KMS key's policy) and Option D (Create a new IAM policy with the kms permission and attach the policy to the Lambda function) ensures that both the IAM role used by the Lambda function and the KMS key policy are correctly configured to allow decryption of the files. This setup meets the security requirements and ensures the Lambda function can perform its tasks without issues.
E is wrong, AWS Lambda function can hold only one IAM role. This role is known as the execution role. What we should do is: creating an IAM policy that allows the kms:Decrypt action and attach it to the Lambda function’s execution role.