DOP-C02 Question #191: Real Exam Question with Answer & Explanation

Question

A company has configured an Amazon S3 event source on an AWS Lambda function. The company needs the Lambda function to run when a new object is created or an existing object is modified in a particular S3 bucket. The Lambda function will use the S3 bucket name and the S3 object key of the incoming event to read the contents of the created or modified S3 object. The Lambda function will parse the contents and save the parsed contents to an Amazon DynamoDB table. The Lambda function's execution role has permissions to read from the S3 bucket and to write to the DynamoDB table. During testing, a DevOps engineer discovers that the Lambda function does not run when objects are added to the S3 bucket or when existing objects are modified. Which solution will resolve this problem?

Options

• AIncrease the memory of the Lambda function to give the function the ability to process large files
• BCreate a resource policy on the Lambda function to grant Amazon S3 the permission to invoke
• CConfigure an Amazon Simple Queue Service (Amazon SQS) queue as an OnFailure destination
• DProvision space in the /tmp folder of the Lambda function to give the function the ability to

Explanation

Explanation

Option B is correct because even though the Lambda function's execution role grants Lambda permission to act on S3 and DynamoDB, a separate resource-based policy (also called a function policy) is required to grant S3 the permission to invoke the Lambda function itself - without this, S3 cannot trigger the function, which is exactly why no executions occur during testing.

• Option A is wrong because memory allocation affects processing capacity and timeout behavior, not whether a function gets triggered in the first place.
• Option C is wrong because an SQS OnFailure destination handles events after a failed invocation - it does not fix the root cause of the function never being invoked at all.
• Option D is wrong because /tmp storage relates to temporary file handling during execution and has no bearing on whether the S3 event trigger can invoke the function.

💡 Memory Tip: Think of it as a two-way handshake - the execution role controls what Lambda can do, while the resource policy controls who can call Lambda. When an AWS service like S3 isn't triggering your function, always check whether that service has invoke permission on the Lambda resource policy.

No community discussion yet for this question.