The correct answer is Attach an IAM role to the Lambda function and assign a policy to the role that grants read access to only the required S3 bucket. This method adheres to the principle of least privilege and avoids hardcoding credentials. IAM roles assigned to Lambda functions automatically provide secure and temporary credentials, and scoping the policy to a specific S3 bucket ensures the Lambda function has only the permissions it needs.

The option Embed an AWS access key and secret key in the Lambda functions code to provide read access to the S3 bucket is insecure and strongly discouraged. Hardcoding credentials increases the risk of credential leakage and makes rotation difficult.

The option Use an S3 bucket policy to grant read access to the Lambda function without configuring IAM roles is not appropriate, because Lambda functions assume execution roles, and permissions should be managed at the IAM role level rather than modifying the S3 buckets policy unnecessarily.

The choice Attach an IAM role to the Lambda function and grant it read access to all S3 buckets in the account violates the principle of least privilege. Granting broader access than required increases the attack surface and is not the most secure choice.

This question is important for testing knowledge of secure AWS identity and access management practices. The trick is recognizing that IAM roles are the recommended way for Lambda to access other AWS services securely, and that granular permissions should be applied to reduce risk.

The challenge lies in avoiding seemingly valid but less secure or overly permissive alternatives, especially those that dont follow best practices for credentials and resource-level access.

Full AWS Practitioner Certification Question