Question #1124
A company is deploying a serverless application where an AWS Lambda function processes events from an Amazon SNS topic. A solutions architect must apply the principle of least privilege to configure permissions for the Lambda function. The Amazon SNS service will invoke the function. Which solution meets these requirements?
Add an execution role to the function with lambda:InvokeFunction as the action and * as the principal.
Add an execution role to the function with lambda:InvokeFunction as the action and Service:sns.amazonaws.com as the principal.
Add a resource-based policy to the function with lambda:* as the action and Service:sns.amazonaws.com as the principal.
Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service:sns.amazonaws.com as the principal.
Explanation
Answer D is correct because:
1. Resource-Based Policy: To allow SNS to invoke a Lambda function, permissions must be granted via the Lambda's resource-based policy (not its execution role). The execution role defines what the Lambda can do, while the resource-based policy defines who can invoke it.
2. Least Privilege: Using lambda:InvokeFunction (specific action) instead of lambda:* (wildcard) limits permissions to the minimum required.
3. Principal Restriction: Specifying Service:sns.amazonaws.com ensures only SNS can invoke the function, avoiding overly broad access (e.g., *).
Why other options are incorrect:
- A: Uses an execution role (wrong mechanism) and * principal (too broad).
- B: Incorrectly uses an execution role instead of a resource-based policy.
- C: Allows lambda:* (excessive permissions), violating least privilege.
Key Points:
- Use resource-based policies to grant cross-service permissions (e.g., SNS invoking Lambda).
- Always restrict actions and principals to the minimum required.
Answer
The correct answer is: D