AWS Certified Security – Specialty (SCS-C02) — Question 270

A company’s developers are using AWS Lambda function URLs to invoke functions directly. The company must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.

Which solution will meet these requirements?

Answer options

• A. Require the developers to configure all function URL to support cross-origin resource sharing (CORS) when the functions are called from a different domain.
• B. Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.
• C. Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.
• D. Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Correct answer: D

Explanation

Using a Service Control Policy (SCP) with a Deny effect is the correct way to enforce security guardrails across member accounts in AWS Organizations. Denying the creation or modification of function URLs when the authentication type is set to NONE successfully prevents unauthenticated public access. Conversely, using an Allow SCP (Option C) does not grant permissions by itself and is not the correct mechanism for enforcing this restriction, as IAM permissions in the member accounts would still dictate access.