AWS Certified Solutions Architect – Associate (SAA-C03) — Question 108

A company is preparing to deploy a new serverless workload. A solutions architect must use the principle of least privilege to configure permissions that will be used to run an AWS Lambda function. An Amazon EventBridge (Amazon CloudWatch Events) rule will invoke the function.
Which solution meets these requirements?

Answer options

• A. Add an execution role to the function with lambda:InvokeFunction as the action and * as the principal.
• B. Add an execution role to the function with lambda:InvokeFunction as the action and Service: lambda.amazonaws.com as the principal.
• C. Add a resource-based policy to the function with lambda:* as the action and Service: events.amazonaws.com as the principal.
• D. Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service: events.amazonaws.com as the principal.

Correct answer: D

Explanation

The correct answer is D because it specifies a resource-based policy that grants the necessary permission to the Amazon EventBridge service to invoke the Lambda function, adhering to the principle of least privilege. Option A is incorrect as it uses * as the principal, which is overly permissive. Option B incorrectly specifies the Lambda service as the principal, rather than the EventBridge service. Option C permits all Lambda actions, which is not in line with the least privilege principle.