AWS Certified Security – Specialty (SCS-C02) — Question 140

An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

Which of the following explains why the logs are not available?

Answer options

• A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
• B. The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
• C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
• D. The version of the Lambda function that was invoked was not current.

Correct answer: A

Explanation

The correct answer is A because if the execution role does not have the necessary permissions to write to CloudWatch Logs, no logs will be generated. Option B is incorrect as logs can still be stored in CloudWatch Logs regardless of how the Lambda function is invoked. Option C is not applicable since CloudWatch Logs does not store logs in an S3 bucket; it writes them directly to its service. Option D is irrelevant since the version of the Lambda function does not impact the logging capability.