AWS Certified SysOps Administrator – Associate — Question 364

A SysOps administrator created an AWS CloudFormation template that provisions an Amazon EventBridge rule that invokes an AWS Lambda function. The Lambda function is designed to write event details to an Amazon CloudWatch log group. The function has permissions to write events to Amazon CloudWatch Logs. However, the SysOps administrator discovered that the Lambda function is not running.

How should the SysOps administrator resolve the problem?

Answer options

• A. Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for EventBridge to invoke the function. Assign the role to the EventBridge rule.
• B. Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for the function. Assign the role as the function execution role.
• C. Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure events.amazonaws.com has permissions to invoke the function.
• D. Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure lambda.amazonaws.com has permissions to invoke the function.

Correct answer: C

Explanation

To allow Amazon EventBridge to successfully trigger an AWS Lambda function, a resource-based policy must be applied to the Lambda function granting invocation permissions to the EventBridge service principal (events.amazonaws.com). In AWS CloudFormation, this is achieved by defining an AWS::Lambda::Permission resource. Option D is incorrect because lambda.amazonaws.com is the principal for the Lambda service itself, while Options A and B incorrectly attempt to use IAM execution roles instead of resource-based policies for the trigger authorization.