DVA-C02 Question #115: Real Exam Question with Answer & Explanation

Question

A company uses AWS Lambda functions and an Amazon S3 trigger to process images into an S3 bucket. A development team set up multiple environments in a single AWS account. After a recent production deployment, the development team observed that the development S3 buckets invoked the production environment Lambda functions. These invocations caused unwanted execution of development S3 files by using production Lambda functions. The development team must prevent these invocations. The team must follow security best practices. Which solution will meet these requirements?

Options

• AUpdate the Lambda execution role for the production Lambda function to add a policy that allows
• BMove the development and production environments into separate AWS accounts. Add a
• CAdd a resource policy to the production Lambda function to allow only the production environment
• DMove the development and production environments into separate AWS accounts. Update the

Explanation

A Lambda resource-based policy restricts which principals can invoke a function, preventing unintended cross-environment invocations without requiring account separation.

Common mistakes.

• A. Modifying the Lambda execution role controls what the function can do, not which principals can invoke it; it does not prevent the development S3 buckets from triggering the function.
• B. Moving to separate accounts solves the problem but is heavy-handed operational overhead when a resource policy on the existing function achieves the same isolation with far less effort.
• D. Separate accounts plus updating only the bucket configuration still adds significant migration overhead and is not the most direct security control available for this scenario.

Concept tested. Lambda resource-based policy for cross-environment invocation control

Reference. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

No community discussion yet for this question.