A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket.
How should the Lambda function be given access to the DynamoDB table?
 

Answer options:

A.Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.B.Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the policy to the DynamoDB table.
C.Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
D.Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Answer: D
The ideal way is to create an IAM role that has the required permissions and then associate it with the Lambda function.
Option A is incorrect because it does not provide the required permission for the Lambda function.
Option B is incorrect because you need to attach the lAM policy to an IAM role and attach the role to the Lambda function.
Option C is incorrect because using IAM users and access keys is not recommended for giving access to applications. IAM roles should be created for services to access other services in AWS (e.g., S3 and DynamoDB).
Option D is CORRECT because we need to create an IAM role with a policy providing access to DynamoDB and attach the role to the Lambda function. This will allow Lambda to write metadata to DynamoDB when an object is stored in the S3 bucket.
The AWS Documentation additionally mentions the following
Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role:
If your Lambda function code accesses other AWS resources, such as reading an object from an S3 bucket or writing logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions the role.
AWS Lambda polls these streams on your behalf if the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams). AWS Lambda needs permissions to poll the stream and read new records on the stream, so you need to grant the relevant permissions to this role.
For more information on the Lambda permission model, please visit the below URL https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html