AWS Certified Security – Specialty (SCS-C02) — Question 105

A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.

When the code is processed, the following error message appears: "An error occurred (AccessDenied) when calling the AssumeRole operation."

Which combination of steps should the security engineer take to resolve this error? (Choose two.)

Answer options

• A. Ensure that LambdaAuditRole has the sts:AssumeRole permission for AcmeAuditFactoryRole.
• B. Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.
• C. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.
• D. Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.
• E. Ensure that the sts:AssumeRole API call is being issued to the us-east-1 Region endpoint.

Correct answer: A, C

Explanation

The correct answer is A and C because LambdaAuditRole must have permission to assume AcmeAuditFactoryRole and the trust policy for AcmeAuditFactoryRole must explicitly allow this action from LambdaAuditRole. Options B, D, and E are not directly related to resolving the access denied error when assuming the role between accounts.