AWS Certified Security – Specialty (SCS-C02) — Question 221

A company wants to automate the creation of a security report. The company has an AWS Lambda function that gathers data from Amazon Inspector findings stored in AWS Security Hub in the us-west-2 Region. The Lambda function then needs to create a daily report by using an Amazon EventBridge schedule.

A security engineer discovers that the Lambda function is failing to create the report. The security engineer must implement a solution that corrects the issue and provides least privilege permissions.

Which solution will meet these requirements?

Answer options

• A. Create a resource-based policy that allows Security Hub access to the ARN of the Lambda function.
• B. Attach the AWSSecurityHubReadOnlyAccess AWS managed policy to the Lambda function’s execution role.
• C. Grant the Lambda function’s execution role read-only permissions to access Amazon Inspector and Security Hub.
• D. Create a custom IAM policy that grants the Security Hub Get*, List*, Batch*, and Describe* permissions on the arn:aws:securityhub:us-west-2::product/aws/inspector/* resource. Attach the policy to the Lambda function’s execution role.

Correct answer: B

Explanation

The correct answer is B because attaching the AWSSecurityHubReadOnlyAccess AWS managed policy to the Lambda function’s execution role grants it the necessary read-only permissions to access Security Hub data without overprivileging. Option A is incorrect as it does not provide adequate permission management. Option C might not grant sufficient permissions tailored specifically for Security Hub. Option D could grant excessive permissions not aligned with the least privilege principle.