AWS Certified Solutions Architect – Associate (SAA-C02) — Question 305

A company is preparing to deploy a new serverless workload. A solutions architect needs to configure permissions for invoking an AWS Lambda function. The function will be triggered by an Amazon EventBridge (Amazon CloudWatch Events) rule. Permissions should be configured using the principle of least privilege.
Which solution will meet these requirements?

Answer options

• A. Add an execution role to the function with lambda:InvokeFunction as the action and * as the principal.
• B. Add an execution role to the function with lambda:InvokeFunction as the action and Service:amazonaws.com as the principal.
• C. Add a resource-based policy to the function with lambda:'* as the action and Service:events.amazonaws.com as the principal.
• D. Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service:events.amazonaws.com as the principal.

Correct answer: D

Explanation

To allow an external service like Amazon EventBridge to trigger an AWS Lambda function, a resource-based policy must be applied to the function granting invocation rights to the 'events.amazonaws.com' service principal. To adhere to the principle of least privilege, the policy must specifically grant the 'lambda:InvokeFunction' action instead of wildcard permissions. Execution roles define what resources the Lambda function can access when running, not which services are allowed to invoke it.