AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is preparing to deploy a new serverless workload. A solutions architect must use the principle of least privilege to configure permissions that will be used to run an AWS Lambda function. An Amazon EventBridge (Amazon CloudWatch Events) rule will invoke the function. Which solution meets these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Add an execution role to the function with lambda:InvokeFunction as the action and * as the principal.

Add an execution role to the function with lambda:InvokeFunction as the action and Service: lambda.amazonaws.com as the principal.

Add a resource-based policy to the function with lambda:* as the action and Service: events.amazonaws.com as the principal.

Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service: events.amazonaws.com as the principal.

Explanation:

Explanation

Correct Answer: D

Why D is correct:

Resource-based policy: When EventBridge needs to invoke a Lambda function, you need to grant EventBridge permission to invoke the function. This is done using a resource-based policy on the Lambda function itself.
Principle of least privilege: The policy should grant only the necessary permissions:
- Action: lambda:InvokeFunction (not lambda:* which is too permissive)
- Principal: Service: events.amazonaws.com (specifically for EventBridge service, not * which is too broad)

Why other options are incorrect:

A: Incorrect because:

Uses an execution role (which defines what the Lambda function can do, not who can invoke it)
Principal * is too permissive and violates least privilege

B: Incorrect because:

Uses an execution role (wrong type of policy for this scenario)
Principal Service: lambda.amazonaws.com is for Lambda service itself, not EventBridge

C: Incorrect because:

While it uses the correct resource-based policy approach
Action lambda:* is too permissive and violates least privilege principle

Key Concepts:

Execution Role: Defines what AWS resources the Lambda function can access (outbound permissions)
Resource-based Policy: Defines who can invoke the Lambda function (inbound permissions)
EventBridge Invocation: Requires resource-based policy on Lambda allowing events.amazonaws.com service principal to invoke the function
Least Privilege: Grant only the minimum permissions needed - lambda:InvokeFunction not lambda:*

Powered ByGPT-5.2

Comments

Loading comments...