AWS Certified Solutions Architect – Professional — Question 636

A company has several AWS accounts. A development team is building an automation framework for cloud governance and remediation processes. The automation framework uses AWS Lambda functions in a centralized account. A solutions architect must implement a least privilege permissions policy that allows the Lambda functions to run in each of the company's AWS accounts.
Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. In the centralized account, create an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts.
• B. In the other AWS accounts, create an IAM role that has minimal permissions. Add the centralized account's Lambda IAM role as a trusted entity.
• C. In the centralized account, create an IAM role that has roles of the other accounts as trusted entities. Provide minimal permissions.
• D. In the other AWS accounts, create an IAM role that has permissions to assume the role of the centralized account. Add the Lambda service as a trusted entity.
• E. In the other AWS accounts, create an IAM role that has minimal permissions. Add the Lambda service as a trusted entity.

Correct answer: A, B

Explanation

To enable cross-account access for AWS Lambda using least privilege, the Lambda function's execution role in the central account must have permission to call the sts:AssumeRole API on roles in the target accounts. Concurrently, each target account must host an IAM role with the minimum required permissions that trusts the central Lambda execution role, allowing it to be assumed. Other options either configure the trust relationships in the wrong direction or fail to establish the correct delegation permissions.