AWS Certified Developer – Associate — Question 434

A developer is creating a solution to track an account's Amazon S3 buckets over time. The developer has created an AWS Lambda function that will run on a schedule. The function will list the account's S3 buckets and will store the list in an Amazon DynamoDB table. The developer receives a permissions error when the developer runs the function with the AWSLambdaBasicExecutionRole AWS managed policy.
Which combination of permissions should the developer use to resolve this error? (Choose two.)

Answer options

• A. Cross-account IAM role
• B. Permission for the Lambda function to list buckets in Amazon S3
• C. Permission for the Lambda function to write in DynamoDB
• D. Permission for Amazon S3 to invoke the Lambda function
• E. Permission for DynamoDB to invoke the Lambda function

Correct answer: B, C

Explanation

The AWSLambdaBasicExecutionRole only provides the basic permissions needed to upload logs to Amazon CloudWatch. To resolve the permission errors, the Lambda function's execution role must be granted explicit permissions to list the Amazon S3 buckets and to write the resulting data into the Amazon DynamoDB table. Invocation permissions from S3 or DynamoDB are unnecessary because the function is triggered by a schedule, not by events from those services.