AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 82

A company is using an organization in AWS Organizations to manage multiple AWS accounts. The company’s development team wants to use AWS Lambda functions to meet resiliency requirements and is rewriting all applications to work with Lambda functions that are deployed in a VPC. The development team is using Amazon Elastic File System (Amazon EFS) as shared storage in Account A in the organization.

The company wants to continue to use Amazon EFS with Lambda. Company policy requires all serverless projects to be deployed in Account B.

A DevOps engineer needs to reconfigure an existing EFS file system to allow Lambda functions to access the data through an existing EFS access point.

Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

Answer options

• A. Update the EFS file system policy to provide Account B with access to mount and write to the EFS file system in Account A.
• B. Create SCPs to set permission guardrails with fine-grained control for Amazon EFS.
• C. Create a new EFS file system in Account B. Use AWS Database Migration Service (AWS DMS) to keep data from Account A and Account B synchronized.
• D. Update the Lambda execution roles with permission to access the VPC and the EFS file system.
• E. Create a VPC peering connection to connect Account A to Account B.
• F. Configure the Lambda functions in Account B to assume an existing IAM role in Account A.

Correct answer: A, D, E

Explanation

The correct steps involve updating the EFS file system policy to allow Account B access (A), modifying Lambda execution roles for VPC and EFS access (D), and establishing a VPC peering connection between accounts (E). Options B, C, and F are not necessary for this scenario; B does not directly address access, C involves creating a new EFS which is not required, and F complicates the architecture without necessity.