During an architecture review of a serverless application, a security architect discovers that multiple Lambda functions share a single overprivileged IAM execution role with full S3 and DynamoDB access. Applying zero trust principles, what is the MOST appropriate remediation?

Question

Accepted Answer

B. Assign each Lambda function a dedicated IAM execution role scoped to only the specific resources and actions it requires. Zero trust requires defining precise subject-object relationships with least-privilege access. Each Lambda function (subject) should have its own execution role scoped only to the specific S3 buckets or DynamoDB tables (objects) it needs and only the actions required. Shared overprivileged roles violate zero trust's subject-object least privilege principle. The CAS-005 V5 objectives list subject-object relationships under zero trust in Security Architecture.

During an architecture review of a serverless application, a security architect discovers that multiple Lambda functions share a single overprivileged IAM execution role with full S3 and DynamoDB access. Applying zero trust principles, what is the MOST appropriate remediation?

Related Questions

Discussion