Which IAM policy grants the least privilege necessary for a Lambda function to read items from a specific DynamoDB table?
Focus on granting only the actions needed and restrict the resource to the specific table.
Option C grants only the read actions (GetItem, Query) on the specific DynamoDB table, following least privilege. Option C grants all actions on all resources, which is excessive. Option C grants only DeleteItem, which is not needed. Option C restricts actions but allows access to all tables, which is broader than necessary.
You want an EC2 instance to upload files only to a specific S3 bucket. Which IAM role policy follows the least privilege principle?
Allow only the action needed to upload files and restrict to the specific bucket path.
Option A allows only the PutObject action on the specific bucket path, which is exactly what is needed. Option A allows all S3 actions on all buckets, which is too broad. Option A allows only listing the bucket, which does not permit uploading. Option A allows only reading objects, which is not the required permission.
You have a web app with three tiers: frontend, backend, and database. Which architecture best applies the least privilege principle for AWS IAM roles?
Think about limiting permissions to only what each tier needs.
Option A assigns roles with permissions strictly needed by each tier: frontend has no AWS permissions, backend accesses DynamoDB, database accesses RDS. This follows least privilege. Option A grants all permissions to all tiers, which is excessive. Option A grants full S3 access to frontend and backend unnecessarily. Option A grants backend full AWS access, which is too broad.
You deploy a Lambda function with an IAM role that has full access to all S3 buckets. What is the likely impact compared to a role with access only to one bucket?
Consider security risks of broad permissions.
Option B is correct because broad permissions allow the function to access all buckets, which increases risk if the function is compromised. Option B is false; permissions define what is allowed, not what is used. Option B is incorrect; too many permissions do not cause failure. Option B is false; permissions do not affect execution speed.
An AWS account A grants an IAM role in account B permission to assume it and access all S3 buckets in account A. Which statement best describes the least privilege violation?
Focus on limiting permissions granted across accounts.
Option D correctly identifies that granting access to all S3 buckets violates least privilege; permissions should be limited to only necessary buckets. Option D is insecure and violates least privilege. Option D is unrelated and insecure. Option D is too restrictive and may not meet business needs.