AWS Certified Data Engineer – Associate (DEA-C01) — Question 231

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses an enhanced fanout data stream in Amazon Kinesis Data Streams to receive streaming data from multiple producers. The company runs the data stream in an account named Account A. The company wants to use an AWS Lambda function in an account named Account В to process the data from the data stream. The company creates a Lambda execution role in Account В that has permissions to access data from the data stream in Account A.

What additional step must the company take to meet this requirement?

Answer options

• A. Create a service control policy (SCP) to grant the data stream read access to the cross-account Lambda execution role. Attach the SCP to Account A.
• B. Add a resource-based policy to the data stream to allow read access for the cross-account Lambda execution role.
• C. Create a service control policy (SCP) to grant the data stream read access to the cross-account Lambda execution role. Attach the SCP to Account B.
• D. Add a resource-based policy to the cross-account Lambda function to grant the data stream read access to the function.

Correct answer: B

Explanation

The correct answer is B because adding a resource-based policy to the Kinesis Data Stream is necessary to explicitly grant the Lambda execution role in Account B the required read access to the data stream in Account A. Options A and C incorrectly suggest the use of service control policies, which do not provide access permissions to specific resources, while option D incorrectly targets the Lambda function instead of the data stream itself.