nerdexam
Amazon

DVA-C02 · Question #115

A company uses AWS Lambda functions and an Amazon S3 trigger to process images into an S3 bucket. A development team set up multiple environments in a single AWS account. After a recent production dep

The correct answer is C. Add a resource policy to the production Lambda function to allow only the production environment. A Lambda resource-based policy restricts which principals can invoke a function, preventing unintended cross-environment invocations without requiring account separation.

Submitted by fernanda_arg· Mar 5, 2026Security

Question

A company uses AWS Lambda functions and an Amazon S3 trigger to process images into an S3 bucket. A development team set up multiple environments in a single AWS account. After a recent production deployment, the development team observed that the development S3 buckets invoked the production environment Lambda functions. These invocations caused unwanted execution of development S3 files by using production Lambda functions. The development team must prevent these invocations. The team must follow security best practices. Which solution will meet these requirements?

Options

  • AUpdate the Lambda execution role for the production Lambda function to add a policy that allows
  • BMove the development and production environments into separate AWS accounts. Add a
  • CAdd a resource policy to the production Lambda function to allow only the production environment
  • DMove the development and production environments into separate AWS accounts. Update the

How the community answered

(33 responses)
  • A
    27% (9)
  • B
    6% (2)
  • C
    55% (18)
  • D
    12% (4)

Why each option

A Lambda resource-based policy restricts which principals can invoke a function, preventing unintended cross-environment invocations without requiring account separation.

AUpdate the Lambda execution role for the production Lambda function to add a policy that allows

Modifying the Lambda execution role controls what the function can do, not which principals can invoke it; it does not prevent the development S3 buckets from triggering the function.

BMove the development and production environments into separate AWS accounts. Add a

Moving to separate accounts solves the problem but is heavy-handed operational overhead when a resource policy on the existing function achieves the same isolation with far less effort.

CAdd a resource policy to the production Lambda function to allow only the production environmentCorrect

Adding a resource-based policy to the production Lambda function that explicitly allows invocation only from the production S3 bucket (by ARN) blocks the development S3 buckets from triggering it, following least-privilege principles without the operational overhead of multi-account restructuring.

DMove the development and production environments into separate AWS accounts. Update the

Separate accounts plus updating only the bucket configuration still adds significant migration overhead and is not the most direct security control available for this scenario.

Concept tested: Lambda resource-based policy for cross-environment invocation control

Source: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice