DVA-C02 · Question #788
A company hosts an application that uploads data to an Amazon S3 bucket named amzn-s3- demo-bucket. The bucket is in a single AWS account named 111111111111. The company deploys an AWS Lambda function
The correct answer is A. Add the following statement to the resource-based policy for the Lambda function in the. For Amazon S3 to invoke a Lambda function (including across accounts), the Lambda function must grant Amazon S3 permission by using a resource-based policy on the function. The policy must allow the s3.amazonaws.com service principal to call lambda:InvokeFunction on the function
Question
A company hosts an application that uploads data to an Amazon S3 bucket named amzn-s3- demo-bucket. The bucket is in a single AWS account named 111111111111. The company deploys an AWS Lambda function named S3EventParser in a second AWS account named 222222222222. The company wants to configure S3 Event Notifications to initiate the Lambda function each time a new object is uploaded to the S3 bucket. The company has deployed all resources in the eu- west-1 Region. A developer who has access to both AWS accounts needs to ensure that S3 Event Notifications can successfully deliver upload events to the Lambda function. Which solution will meet these requirements?
Exhibits
Options
- AAdd the following statement to the resource-based policy for the Lambda function in the
- BAdd the following statement to the Lambda function IAM role's trust policy in the 222222222222
- CAdd the following statement to the Lambda function IAM role's inline policy in the 222222222222
- DAdd the following statement to the S3 bucket policy in the 111111111111 account:
How the community answered
(37 responses)- A70% (26)
- B8% (3)
- C5% (2)
- D16% (6)
Explanation
For Amazon S3 to invoke a Lambda function (including across accounts), the Lambda function must grant Amazon S3 permission by using a resource-based policy on the function. The policy must allow the s3.amazonaws.com service principal to call lambda:InvokeFunction on the function ARN, and it should restrict access by specifying the source bucket ARN and the source AWS account in the condition keys. This enables S3 Event Notifications from the bucket in the first account to successfully invoke the Lambda function in the second account.
Community Discussion
No community discussion yet for this question.







