Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › Which IAM construct is best for granting a CodeB…
Which IAM construct is best for granting a CodeBuild project the right to read from one specific S3 bucket and write to one specific ECR repo?
AA scoped IAM role attached to the CodeBuild service role with a least-privilege inline policy
BGranting the CodeBuild service the `AdministratorAccess` managed policy
CSharing the AWS root account access key with CodeBuild
DDisabling IAM entirely for the build environment
Answer & Solution
Correct answer: A. A scoped IAM role attached to the CodeBuild service role with a least-privilege inline policy
Least privilege = a narrow role scoped to the exact bucket and repo. Admin access, root-credential sharing, or disabling IAM all violate the principle. CodeBuild assumes its service role at runtime.
Related questions
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC enWhich approach correctly handles environment-specific configuration (DB endpoints, featureAn application must encrypt user-uploaded files in S3 with a key the customer controls (CMWhich IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-A Lambda function reads database credentials at cold start from AWS Secrets Manager and caAn API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. WhWhich AWS service issues, manages, and auto-renews public TLS certificates for use with ALA static website served from S3 must allow time-limited downloads to authenticated users w