Role of Lambda Permissions
Question
You are a software engineer and are creating a new web service in AWS.
The service is about daily schedules where end users can configure and fetch.
It contains an AngularJs front end that deals with data in a DynamoDB table called "UserScheduleData" with read and write permissions.
You plan to use API gateway and Lambda to handle the backend service.
During development, you also need to do integration testings frequently using curl for the API endpoints.
You have created a role “ScheduleRoleLambda” for the Lambda itself.
What below options should you perform to ensure that the Lambda contains the necessary permissions in the service role? (Select TWO).
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.Correct Answer - B, F.
Firstly, the CloudWatch Logs permission for Lambda is required at a minimum.
Refer to the below Lambda settings:
Every lambda needs this permission to create a log group, log stream, and put log events.
Besides, access for DynamoDB is required for the Lambda.
"dynamodb:GetItem" and "dynamodb:PutItem" are necessary.
Lastly, it needs to add permission to the permissions policy associated with the Lambda function.
Run the add-permission AWS Lambda command to grant the Amazon API Gateway service principal (apigateway.amazonaws.com) permissions to invoke the Lambda function.
https://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example.htmlOption A is incorrect, although AWS X-Ray can trace AWS Lambda functions, it is not mandatory.
Option B is CORRECT because the Lambda function needs access to Amazon CloudWatch Logs for log streaming.
Option C is incorrect, although this permission is needed, it does not belong to the Lambda function's service role.
Option D is incorrect, SNS may help with error handling; however, it is optional and only needed depending on specific requirements.
Option E is incorrect because, for the permissions of DynamoDB, the resource should be arn name of the DynamoDB table in accordance with the principle of least privilege.
"dynamodb:FetchItem" is incorrect as well.
The below is an example:
Option F is CORRECT because it correctly describes the permissions for DynamoDB.References:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html https://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example.html
Sure, I can provide a detailed explanation of the options for you.
A. AWSXrayWriteOnlyAccess policy is needed for “ScheduleRoleLambda” so that a segment record with details about the function invocation and execution can be saved for tracking and debug purpose.
AWS X-Ray is a service that allows you to debug and analyze your serverless applications in production environments. This policy provides the Lambda function with permission to write to X-Ray, which is useful for debugging and tracing function invocations. This is particularly important if you are running a large-scale production system where you need to monitor and debug your functions.
B. “ScheduleRoleLambda” should have a policy for CloudWatch Logs including CreateLogGroup, CreateLogStream and PutLogEvents.
CloudWatch Logs is a service that allows you to store and monitor logs from your applications and systems. This policy provides the Lambda function with permission to create and write logs to CloudWatch Logs. This is important for debugging and monitoring the Lambda function. The CreateLogGroup, CreateLogStream, and PutLogEvents actions allow the Lambda function to create log groups, log streams, and put log events in CloudWatch Logs.
C. Invoke permissions are needed to the permissions policy associated with your Lambda function so that the API Gateway can call the lambda function.
When you create a Lambda function, you need to specify a permission policy that allows other AWS services to invoke the function. In this case, you need to add the API Gateway as a service that can invoke the Lambda function. This policy allows the API Gateway to call the Lambda function by granting the necessary permissions to the function's IAM role.
D. “sns:publish” allow inline policy should be added into “ScheduleRoleLambda” for error handlings. For example, when exception appears, the message can be put into a dead letter queue via SNS publish.
Amazon SNS is a messaging service that allows you to publish messages to topics that can be subscribed to by other AWS services. This policy provides the Lambda function with permission to publish messages to SNS topics. You can use SNS to send notifications or to handle errors in your Lambda function by putting messages into a dead letter queue. This policy allows the Lambda function to publish messages to SNS topics by granting the necessary permissions to the function's IAM role.
E. “ScheduleRoleLambda” should contain an inline policy to allow DynamoDb access. The resource should be “*” and the action should contain "dynamodb:FetchItem", "dynamodb:PutItem" and "dynamodb:Query".
This policy provides the Lambda function with permission to read and write to a DynamoDB table. The resource specifies the table name and the actions allow the function to fetch, put and query items in the table. The resource is set to "*" which means all tables in DynamoDB are accessible. It is important to note that this policy grants broad access to all DynamoDB tables, so you should be careful when using it in production environments.
F. An IAM policy to allow DynamoDb access is needed for “ScheduleRoleLambda”. The resource should be the arn of “UserScheduleData” and the actions should contain "dynamodb:GetItem" and "dynamodb:PutItem".
This policy provides the Lambda function with permission to read and write to a specific DynamoDB table. The resource is set to the ARN of the "UserScheduleData" table, which means the Lambda function only has access to this specific table. The actions allow the function to get and put items in the table. This policy provides more specific access control than the previous option, which grants access to all DynamoDB tables.
