Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › Which mechanism lets a Lambda function call S3, …
Which mechanism lets a Lambda function call S3, DynamoDB, etc. WITHOUT storing long-lived credentials in the code or environment?
AAn IAM user's access key shared with all team members
BStatic credentials stored in a public S3 bucket
CThe Lambda execution role (AWS injects short-lived STS credentials at runtime)
DHard-coded access keys in the function's source code
Answer & Solution
Correct answer: C. The Lambda execution role (AWS injects short-lived STS credentials at runtime)
Execution roles deliver short-lived STS credentials via Lambda's environment — no static keys. The other options leak credentials.
Related questions
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC enWhich approach correctly handles environment-specific configuration (DB endpoints, featureAn application must encrypt user-uploaded files in S3 with a key the customer controls (CMWhich IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-A Lambda function reads database credentials at cold start from AWS Secrets Manager and caAn API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. WhWhich IAM construct is best for granting a CodeBuild project the right to read from one spWhich AWS service issues, manages, and auto-renews public TLS certificates for use with AL