AWS Certified Developer – Associate (DVA-C02) — Question 418
A developer uses Amazon S3 Event Notifications to invoke AWS Lambda functions. The Lambda functions process images after the images are uploaded to S3 buckets. The developer has set up a development S3 bucket, a production S3 bucket, a development Lambda function, and a production Lambda function in the same AWS account.
The developer notices that uploads to the development S3 bucket wrongly invoke the production Lambda function. The developer must prevent development data from affecting the production Lambda function.
What should the developer do to meet these requirements?
Answer options
- A. Update the execution role for the production Lambda function. Add a policy that allows the execution role to read from only the production S3 bucket.
- B. Update the S3 bucket policy for the production S3 bucket to invoke the production Lambda function. Update the S3 bucket policy for the development S3 bucket to invoke the development Lambda function.
- C. Separate the development environment and the production environment into their own AWS accounts. Update the execution role for each Lambda function. Add a policy that allows the execution role to read from only the S3 bucket that is in the same account.
- D. Separate the development environment and the production environment into their own AWS accounts. Add a resource policy to the Lambda functions to allow only S3 bucket events in the same account to invoke the functions.
Correct answer: D
Explanation
Separating development and production environments into distinct AWS accounts is an AWS best practice that provides strong isolation. To control which external services can trigger a Lambda function, a resource-based policy must be applied to the Lambda function itself to define invocation permissions. Restricting these resource policies to allow only same-account S3 bucket events prevents cross-account triggers and ensures development S3 events cannot invoke the production Lambda function.