AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 222

A DevOps team has created a Custom Lambda rule in AWS Config. The rule monitors Amazon Elastic Container Repository (Amazon ECR) policy statements for ecr:* actions. When a noncompliant repository is detected, Amazon EventBridge uses Amazon Simple Notification Service (Amazon SNS) to route the notification to a security team.

When the custom AWS Config rule is evaluated, the AWS Lambda function fails to run.

Which solution will resolve the issue?

Answer options

• A. Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function.
• B. Modify the SNS topic policy to include configuration changes for EventBridge to publish to the SNS topic.
• C. Modify the Lambda function's execution role to include configuration changes for custom AWS Config rules.
• D. Modify all the ECR repository policies to grant AWS Config access to the necessary ECR API actions.

Correct answer: A

Explanation

The correct answer is A because the Lambda function must have the appropriate permissions in its resource policy to be invoked by AWS Config. The other options do not address the invocation issue directly: B relates to SNS permissions, C pertains to the Lambda execution role which does not affect invocation permissions, and D involves ECR policies which are unrelated to Lambda invocation.