AWS Certified Security – Specialty — Question 444

A security team is developing an automated solution that uses an AWS Lambda function to provision an Amazon EC2 instance. The solution will provision the EC2 instance with an IAM role that has the permissions necessary to make API calls to other AWS services in the same AWS account. The security team can create the AMI for this EC2 instance. The team encrypts the AMI by using an AWS Key Management Service (AWS KMS) customer managed key.

When the team invokes the Lambda function to launch the EC2 instance, the team receives an access denied error message from the Lambda function’s execution role. The team analyzes the Lambda function execution role for missing permissions.

What is the MOST likely cause of this error message?

Answer options

• A. The Lambda function’s execution role does not have kms:CreateGrant and kms:Decrypt KMS key permissions for the encrypted AMI.
• B. The Lambda function's execution role does not have iam:PassRole permission for the requested IAM instance profile.
• C. The company has reached the account's service quota for the EC2 instance type that the Lambda function is provisioning in the AWS Region.
• D. The Lambda function’s execution role does not have Amazon CloudWatch read and write permissions for the configured CloudWatch agent on the EC2 instance.

Correct answer: B

Explanation

To launch an Amazon EC2 instance with an associated IAM role, the calling entity (the Lambda function's execution role) must have the iam:PassRole permission. This allows the Lambda function to safely pass the IAM role to the EC2 instance during provisioning. Without iam:PassRole, AWS will return an access denied error during the launch API call.