Logo
AWS Certified Developer – Associate / Question #673 of 557

Question #673

A company manages hundreds of AWS Lambda functions that must be tested via Lambda function URLs by the QA team. The security team mandates that all access must be authenticated using IAM credentials. A developer needs to configure the Lambda functions' authentication to permit the QA IAM group to invoke them via the public URLs.

Which solution meets these requirements?

A

Create a CLI script to enable Lambda function URLs with AWS_IAM authentication for all functions. Run another script to create an IAM identity-based policy allowing the lambda:InvokeFunctionUrl action on all Lambda ARNs. Attach this policy to the QA IAM group.
B

Create a CLI script to enable Lambda function URLs with NONE authentication for all functions. Run another script to create a resource-based policy for each Lambda allowing the lambda:InvokeFunctionUrl action, referencing the QA IAM group's ARN. Attach the policies to the respective Lambda functions.
C

Create a CLI script to enable Lambda function URLs with AWS_IAM authentication for all functions. Run another script to loop through each Lambda and create a resource-based policy allowing the lambda:InvokeFunctionUrl action for the QA IAM group's ARN. Attach the policies to the Lambdas.
D

Create a CLI script to enable Lambda function URLs with NONE authentication for all functions. Run another script to create an IAM identity-based policy allowing the lambda:InvokeFunctionUrl action on all Lambda ARNs. Attach the policy to the QA IAM group.

Explanation

Answer A is correct because Lambda function URLs configured with AWS_IAM authentication require IAM credentials for access. By creating an IAM identity-based policy allowing the lambda:InvokeFunctionUrl action on all Lambda ARNs and attaching it to the QA IAM group, the QA team gains the necessary permissions without modifying each function's resource-based policy. This approach scales efficiently for hundreds of functions. Options B and D use NONE authentication, violating security requirements. Option C uses resource-based policies, which would require updating each Lambda individually, making it less efficient compared to a single identity-based policy.

Answer

The correct answer is: A