Step-by-Step Breakdown:
Requirement Summary:
Use AWS SAM to deploy:
1 Lambda Function
1 S3 Bucket
Lambda needs read-only access to the S3 bucket
Solution must be expressed via AWS SAM template
Option A: Reference a second Lambda authorizer function
Incorrect: Lambda authorizers are used in API Gateway for authentication, not for granting S3 permissions.
Option B: Add a custom S3 bucket policy to the Lambda function
Incorrect: Bucket policies control who can access the bucket, not what the Lambda function can do.
The permission must be granted to the Lambda’s IAM execution role.
Option C: Create an Amazon SQS topic for only S3 object reads
Option D: Add the S3ReadPolicy template to the Lambda function's execution role
Correct: AWS SAM provides managed policy templates like AmazonS3ReadOnlyAccess and shortcuts like S3ReadPolicy.
You can apply these to the Lambda’s execution role using the Policies: section in your SAM template.
Example SAM YAML:
yaml
CopyEdit
Resources:
MyFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: my-code/
Handler: app.handler
Runtime: python3.11
Policies:
- S3ReadPolicy:
BucketName: !Ref MyBucket
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-personal-bucket-name
SAM Policy Templates: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html
Example using S3ReadPolicy: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html#s3-readpolicy
