AWS Certified Solutions Architect – Professional — Question 582

A company is using multiple AWS accounts. The company has a shared service account and several other accounts for different projects.
A team has a VPC in a project account. The team wants to connect this VPC to a corporate network through an AWS Direct Connect gateway that exists in the shared services account. The team wants to automatically perform a virtual private gateway association with the Direct Connect gateway by using an already- tested AWS Lambda function while deploying its VPC networking stack. The Lambda function code can assume a role by using AWS Security Token Service
(AWS STS). The team is using AWS CloudFormation to deploy its infrastructure.
Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Deploy the Lambda function to the project account. Update the Lambda function's IAM role with the directconnect:* permission.
• B. Create a cross-account IAM role in the shared services account that grants the Lambda function the directconnect:* permission. Add the sts:AssumeRole permission to the IAM role that is associated with the Lambda function in the shared services account.
• C. Add a custom resource to the CloudFormation networking stack that references the Lambda function in the project account.
• D. Deploy the Lambda function that is performing the association to the shared services account. Update the Lambda function's IAM role with the directconnect:* permission.
• E. Create a cross-account IAM role in the shared services account that grants the sts:AssumeRole permission to the Lambda function with the directconnect:* permission acting as a resource. Add the sts:AssumeRole permission with this cross-account IAM role as a resource to the IAM role that belongs to the Lambda function in the project account.
• F. Add a custom resource to the CloudFormation networking stack that references the Lambda function in the shared services account.

Correct answer: A, C, E

Explanation

To trigger the automation during the deployment of the project account's infrastructure, a CloudFormation custom resource must be added to the project account's stack, referencing a local Lambda function (Option C). The Lambda function itself must be deployed in the project account to be easily targeted by the local CloudFormation stack (Option A). Finally, because the Direct Connect gateway resides in the shared services account, the Lambda function must assume a cross-account role in the shared services account that is authorized to perform the directconnect:* association actions (Option E).