A company is developing a new serverless application that uses AWS Lambda functions. The…

Question

A company is developing a new serverless application that uses AWS Lambda functions. The company uses AWS CloudFormation to deploy the Lambda functions. The company’s developers are trying to debug a Lambda function that is deployed. The developers cannot debug the Lambda function because the Lambda function is not logging its output to Amazon CloudWatch Logs. Which combination of steps should a security engineer take to resolve this issue? (Choose two.)

Accepted Answer

Correct answer: A, B. A. Check the role that is defined in the CloudFormation template and is passed to the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda amazonaws.com. — B. Check the execution role that is configured in the CloudFormation template for the Lambda function. Ensure that the execution role has the necessary permissions to write to CloudWatch Logs. — To allow an AWS Lambda function to send logs to Amazon CloudWatch, its execution role must have a trust policy that permits the Lambda service principal (lambda.amazonaws.com) to assume the role via sts:AssumeRole. Additionally, the execution role itself must be attached to an IAM policy that grants permission to create log groups, create log streams, and put log events in CloudWatch Logs. Other configurations like X-Ray settings or the developers' own IAM roles do not affect the Lambda function's capability to write its execution logs.

AWS Certified Security – Specialty (SCS-C02) — Question 278

Answer options

Correct answer: A, B

Explanation