AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An operations team runs a Lambda function named ValidateTag in AWS account 111111111111. A custom AWS Config rule that resides in account 222222222222 must invoke this function. Security policy states that all permissions must be managed from account 111111111111 and that no IAM roles may be created or modified in account 222222222222. Which approach meets these requirements while following the principle of least privilege?
Add a permission to the Config rule that allows it to assume a role in account 111111111111 which has lambda:* permissions on the function.
From account 111111111111 run aws lambda add-permission --function-name ValidateTag --statement-id AllowConfigCrossAccount --action lambda:InvokeFunction --principal config.amazonaws.com --source-account 222222222222, which adds a resource-based policy to the function.
Share the ValidateTag function with account 222222222222 by using AWS Resource Access Manager; the share automatically grants invoke permissions to AWS Config.
Create an IAM role in account 222222222222 that trusts account 111111111111, attach the lambda:InvokeFunction permission to it, and reference the role ARN in the Config rule.
Because AWS Config is a service, the safest way to let a Config rule in another account invoke the function is to add a resource-based policy statement to the Lambda function in the owning account. Using the lambda:add-permission API (or the console) adds a statement that names config.amazonaws.com as the principal, grants only the lambda:InvokeFunction action, and scopes the permission to the caller's account with a SourceAccount or SourceArn condition. No new roles are needed in the calling account. The other options either rely on creating or changing roles in account 222222222222, use unsupported sharing mechanisms, or grant the wrong action, so they violate the stated constraints or least-privilege practice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a resource-based policy in AWS Lambda?
Open an interactive chat with Bash
What does the `lambda:add-permission` API command do?
Open an interactive chat with Bash
What is the principle of least privilege in AWS?
Open an interactive chat with Bash
What is a resource-based policy in AWS?
Open an interactive chat with Bash
How does the `lambda:add-permission` API work?
Open an interactive chat with Bash
What is the purpose of the `SourceAccount` condition in the policy?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .