AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer provides the most secure and least-privilege access by using a specific role-to-role trust relationship and resource-level permissions. An IAM role in the Production account (LambdaUpdateRole) is granted a narrow permission (lambda:UpdateFunctionCode) limited only to the specific Lambda function's ARN. Its trust policy explicitly allows only the EC2 instance's role (ToolsEC2Role) from the Developer Tools account to assume it. This ensures that only the designated EC2 instance can assume the role, and once assumed, the credentials can only be used to update that single Lambda function's code.

Using wildcards for the resource or action is overly permissive and violates the principle of least privilege, as it would allow the role to update any Lambda function, or perform any Lambda action, respectively.

Using an IAM user with long-lived access keys is not a best practice for programmatic access from an EC2 instance. IAM roles provide temporary, automatically rotated credentials, which is a more secure mechanism than managing static keys.

Configuring the trust policy in the Production account's role to trust the entire Developer Tools account root is less secure than trusting the specific role ARN. This configuration would allow any principal in the Developer Tools account with sts:AssumeRole permissions to assume the LambdaUpdateRole, not just the intended EC2 instance.