Logo
AWS Certified Developer – Associate / Question #990 of 557

Question #990

A developer configures Amazon S3 buckets to send event notifications to AWS Lambda functions for processing uploaded data. The development and production environments each have their own S3 buckets and Lambda functions within a single AWS account. The developer discovers that uploading files to the development S3 bucket sometimes triggers the production Lambda function. The developer needs to ensure that each Lambda function is only invoked by its corresponding S3 bucket environment.

Which solution will address this issue while maintaining the least administrative complexity?

A

Modify the execution role of each Lambda function to include a policy that restricts access to the respective S3 bucket.
B

Update each S3 bucket's policy to allow event notifications only to the intended Lambda function.
C

Move the development and production environments into separate AWS accounts. Update each Lambda function's execution role to restrict access to the S3 bucket in the same account.
D

Move the development and production environments into separate AWS accounts. Attach a resource policy to each Lambda function allowing invocation only from S3 buckets within the same account.

Explanation

Answer D is correct because separating environments into different AWS accounts inherently isolates resources. Attaching a resource policy to each Lambda function that restricts invocation to S3 buckets within the same account prevents cross-account triggers. This approach addresses the root cause (accidental cross-environment triggers) with minimal administrative effort.

Why other options are incorrect:
- A: Lambda execution roles control what the function can access, not who can invoke it. This doesn't prevent S3 from triggering the wrong Lambda.
- B: S3 bucket policies manage access to the bucket, not outgoing notifications. Permissions for S3 to invoke Lambda are controlled by the Lambda's resource policy, not the bucket policy.
- C: Moving to separate accounts helps, but updating the Lambda's execution role (which defines Lambda's permissions) doesn't restrict invocation sources. The resource policy must be updated instead.

Key Points:
1. Lambda resource policies control invocation permissions.
2. Separate AWS accounts provide environment isolation.
3. Cross-account Lambda invocations require explicit permissions, which are blocked by default.

Answer

The correct answer is: D