Step-by-Step Breakdown:

Requirement Summary:

UseAWS SAMto deploy:

1 Lambda Function

1 S3 Bucket

Lambda needsread-only accessto the S3 bucket

Solution must be expressed viaAWS SAM template

Option A: Reference a second Lambda authorizer function

❌Incorrect: Lambda authorizers are used inAPI Gateway for authentication, not for granting S3 permissions.

Option B: Add a custom S3 bucket policy to the Lambda function

❌Incorrect: Bucket policiescontrol who can access the bucket, not what the Lambda function can do.

The permission must be granted to the Lambda’sIAM execution role.

Option C: Create an Amazon SQS topic for only S3 object reads

❌Incorrect: SQS cannot read objects from S3 and is not relevant to this scenario.

Option D: Add the S3ReadPolicy template to the Lambda function's execution role

✅Correct: AWS SAM providesmanaged policy templateslike AmazonS3ReadOnlyAccess andshortcuts like S3ReadPolicy.

You can apply these to the Lambda’s execution role using the Policies: section in your SAM template.

Example SAM YAML:

yaml

CopyEdit

Resources:

MyFunction:

Type: AWS::Serverless::Function

Properties:

CodeUri: my-code/

Handler: app.handler

Runtime: python3.11

Policies:

- S3ReadPolicy:

BucketName: !Ref MyBucket

MyBucket:

Type: AWS::S3::Bucket

Properties:

BucketName: my-personal-bucket-name

SAM Policy Templates:https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html

Example using S3ReadPolicy:https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html#s3-readpolicy