An AWS Lambda function is running in a company’s shared AWS account. The function needs t…

Question

An AWS Lambda function is running in a company’s shared AWS account. The function needs to perform an additional ec2:DescribeInstances action that is directed at the company’s development accounts. A developer must configure the required permissions across the accounts. How should the developer configure the permissions to adhere to the principle of least privilege?

Accepted Answer

Correct answer: B. B. Create an IAM role in the development accounts. Add the ec2:DescribeInstances permission to the role. Establish a trust relationship with the shared account for this role. Update the Lambda function IAM role in the shared account by adding the iam:AssumeRole permissions. — The correct answer is B because creating an IAM role in the development accounts with the necessary permission and establishing a trust relationship allows the Lambda function in the shared account to assume that role, adhering to the principle of least privilege. Options A and C incorrectly configure the permissions in the shared account, while D does not provide the necessary iam:AssumeRole permissions for the Lambda function to access the role in the development accounts.

AWS Certified Developer – Associate (DVA-C02) — Question 225

Answer options

Correct answer: B

Explanation