ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 19 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 19
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the
Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully.
After several minutes, the Engineer finds that his Athena query has failed with the error message: `Insufficient Permissions`. The IAM permissions of the Security
Engineer and the Lambda function are shown below:

Security Engineer -


Lambda function execution role -

What is causing the error?

  • A. The Lambda function does not have permissions to start the Athena query execution.
  • B. The Security Engineer does not have permissions to start the Athena query execution.
  • C. The Athena service does not support invocation through Lambda.
  • D. The Lambda function does not have permissions to access the CloudTrail S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by sensor at July 6, 2019, 8:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sensor
Highly Voted 3 years, 9 months ago
The question states that a Cloudwatch event triggers Lambda function (which must be assumed in function policy) and Lambda function in turn runs an Amazon Athena query (which is in execution role) that checks AWS CloudTrail logs in Amazon S3. So, System Engineer is not starting directly Athena query but the Lambda function. Because of the sentence: "The results of the Athena query are created in the same S3 bucket." I beleave that S3 bucket policy rules out Lambda function and therefore D.
upvoted 46 times
ChauPhan
3 years, 7 months ago
Agree, but the question is not clear: "the Engineer finds that HIS Athena query has failed". At the first look, I thought the Engineer queried Athena directly, LOL.
upvoted 2 times
...
freddyman
3 years, 8 months ago
Agree, D makes the most sense.
upvoted 6 times
wahlbergusa
3 years, 7 months ago
I thought that Athena needs a role to access S3 results bucket then realized that there is no such configuration in the AWS Console. Then I found this article, https://aws.amazon.com/premiumsupport/knowledge-center/access-denied-athena/ , although it is not the same scenario it explicitly mentions that the IAM user or the principal who/which runs the Athena query must have access to both source and destination S3 buckets. Since the principal running the query in this question is the Lambda function, then Lambda execution role must have access to S3 bucket.
upvoted 7 times
pal40sg
1 year, 9 months ago
Thanks for the clarification!
upvoted 1 times
...
...
...
...
Sitender
Highly Voted 3 years, 8 months ago
I feel that 40% of the answer are wrong. Quality of the site is not good...... Admin should review and take feedback from us
upvoted 23 times
...
Aamee
Most Recent 1 year, 6 months ago
Selected Answer: B
It's a tricky question guys! ... clearly states that: " his Athena query has failed with the error message: `Insufficient Permissions' " Which means that the security engineer is trying to execute Athena queries by himself and that's why he's getting that insufficient permissions. Therefore, that leads me to believe that only the Option B is correct here!...
upvoted 1 times
...
anhtu133
1 year, 6 months ago
I think the question and answers not clear. But he don't have permission to execute athena query. Therefore B is the answer for me.
upvoted 1 times
...
Benah
1 year, 9 months ago
The Security Engineer does not have permissions to start the Athena query execution
upvoted 1 times
...
Shenannigan
1 year, 9 months ago
Selected Answer: D
Lamda role literally has 0 permissions to S3
upvoted 1 times
...
pk0619
1 year, 11 months ago
Selected Answer: D
without s3 access, lambda wont be able to run a query
upvoted 3 times
...
Green53
1 year, 12 months ago
Selected Answer: B
Based on: * The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully. * Engineer finds that his Athena query has failed with the error message: `Insufficient Permissions` The Lambda function runs correctly, ruling out both A and D. Leaves B and C. Since C is false, that just leaves B.
upvoted 1 times
...
KarthikeyanTK
2 years ago
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults" ], "Resource": "*" } ] }
upvoted 1 times
...
KarthikeyanTK
2 years ago
Selected Answer: A
By adding the "athena:StartQueryExecution" action to the Lambda function's execution role, it will have the necessary permissions to initiate the Athena query execution and resolve the "Insufficient Permissions" error.
upvoted 1 times
...
Robert0
2 years ago
Selected Answer: D
As pointed by other comments, Because of the sentence: "The results of the Athena query are created in the same S3 bucket.". Thus the lambda needs permissions to write in the bucket.
upvoted 2 times
...
ITGURU51
2 years, 1 month ago
To grant a Lambda function access to an S3 bucket, you have to attach an IAM policy to the function’s execution role. The policy should grant permissions for all the actions the function needs to perform on the specified bucket. For example, the following policy grants permission to upload objects to a specific S3 bucket: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::your-bucket-name/*"
upvoted 1 times
...
Kitman
2 years, 1 month ago
Selected Answer: B
Ans is B
upvoted 1 times
...
matrpro
2 years, 1 month ago
Selected Answer: B
It is a tricky question. The key point is in "his Athena query". Also, D must be wrong because Lambda doesn't access S3 bucker by itself, it is Athena who access to S3
upvoted 2 times
...
kujin
2 years, 2 months ago
D https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html Every Lambda function has an IAM role called an execution role. In this role, you can attach a policy that defines the permissions that your function needs to access other AWS services and resources. At a minimum, your function needs access to Amazon CloudWatch Logs for log streaming. If your function calls other service APIs with the AWS SDK, you must include the necessary permissions in the execution role's policy. Lambda also uses the execution role to get permission to read from event sources when you use an event source mapping to invoke your function.
upvoted 1 times
...
blanco750
2 years, 3 months ago
I got this question in my exam today
upvoted 1 times
...
roguecloud
2 years, 4 months ago
After reading/ re-reading a dozen times, I really wanted it to be D. But it boils down to how AWS exams are written.. I guess it is B. Note: 1. "his Athena query has failed" 2. Lambda (already) succeeded 3. Engineer has S3:*
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel