AWS Certified Security - Specialty (SCS-C02) Practice Exam

Correct Answers: C. Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.; D. Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the principal.

Why C is correct: Creating an IAM role for the Lambda function and attaching an IAM policy that allows S3 access is the AWS best practice. Lambda functions should use IAM roles (execution roles) rather than embedding credentials. The role is automatically assumed by Lambda at runtime, providing temporary credentials through AWS STS.Why D is correct: This is another valid approach using resource-based policies. You can create an IAM role for Lambda and then use an S3 bucket policy that explicitly allows that role (as the principal) to access the bucket. This demonstrates cross-service authorization using resource-based policies combined with identity-based roles.Why A is wrong: Storing access keys in environment variables is a security anti-pattern. It exposes long-term credentials that could be compromised. AWS explicitly recommends against embedding credentials in code or configuration.Why B is wrong: EC2 key pairs are used for SSH access to EC2 instances, not for AWS API authentication. This answer confuses instance access with service-to-service authentication. Lambda doesn't use SSH keys to communicate with S3.Why E is wrong: Security groups control network traffic (layer 3/4), not API access to S3. S3 access requires IAM permissions, not network security groups. Additionally, Lambda functions in VPC can have security groups, but this doesn't grant S3 API permissions.

Correct Answer: C. Custom SSL certificate that is stored in AWS Certificate Manager (ACM).

Why C is correct: AWS Certificate Manager (ACM) is specifically designed to store and manage SSL/TLS certificates for AWS services. ACM provides free public certificates, handles automatic renewal, and integrates seamlessly with services like CloudFront, Application Load Balancers, and API Gateway. This is the standard AWS solution for SSL/TLS certificate management.Why A is wrong: AWS KMS is designed for encryption key management, not SSL/TLS certificate storage. KMS manages cryptographic keys used for data encryption, but it's not the appropriate service for storing SSL/TLS certificates used for HTTPS connections.Why B is wrong: CloudFront doesn't provide a "default SSL certificate" for custom domains like example.com. CloudFront has a default certificate only for CloudFront distribution domains (*.cloudfront.net), not for custom domains. Custom domains require either ACM certificates or third-party certificates.Why D is wrong: S3 is not designed to store SSL/TLS certificates for use with web services. While you could technically store certificate files in S3, there's no native integration with HTTPS endpoints, and this would not be a secure or functional solution for serving HTTPS traffic.