Answer: Add a resource-based policy to the function with `lambda:InvokeFunction` as the action and `Service: events.amazonaws.com` as the principal.

## Explanation **Correct Answer: D** **Why D is correct:** 1. **Resource-based policy**: When EventBridge needs to invoke a Lambda function, you need to grant EventBridge permission to invoke the function. This is done using a resource-based policy on the Lambda function itself. 2. **Principle of least privilege**: The policy should grant only the necessary permissions: - Action: `lambda:InvokeFunction` (not `lambda:*` which is too permissive) - Principal: `Service: events.amazonaws.com` (specifically for EventBridge service, not `*` which is too broad) **Why other options are incorrect:** **A:** Incorrect because: - Uses an execution role (which defines what the Lambda function can do, not who can invoke it) - Principal `*` is too permissive and violates least privilege **B:** Incorrect because: - Uses an execution role (wrong type of policy for this scenario) - Principal `Service: lambda.amazonaws.com` is for Lambda service itself, not EventBridge **C:** Incorrect because: - While it uses the correct resource-based policy approach - Action `lambda:*` is too permissive and violates least privilege principle **Key Concepts:** - **Execution Role**: Defines what AWS resources the Lambda function can access (outbound permissions) - **Resource-based Policy**: Defines who can invoke the Lambda function (inbound permissions) - **EventBridge Invocation**: Requires resource-based policy on Lambda allowing `events.amazonaws.com` service principal to invoke the function - **Least Privilege**: Grant only the minimum permissions needed - `lambda:InvokeFunction` not `lambda:*`

Author: LeetQuiz Editorial Team