Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 417 discussion

D. Create an IAM role with a managed policy attached that has permission boundaries specific to the Lambda functions. Allow the engineering team to assume this role.

A. Lambda function will not assume any role. This is a role for the team. B. To much permissions. Doesn;t follow least privilege. C. Execution Roles are for Lambda. Not relevant. D. (Correct Answer) Create an IAM role with a managed policy attached that has permission boundaries specific to the Lambda functions. Allow the engineering team to assume this role.

D is the answer

C & D are talking about permission boundaries. I think A is right. "When you first create an IAM role for your Lambda function during the development phase, you might sometimes grant permissions beyond what is required." https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html Not sure what I am missing here

"A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access AWS services and resources. You provide this role when you create a function, and Lambda assumes the role when your function is invoked. You can create an execution role for development that has permission to send logs to Amazon CloudWatch and to upload trace data to AWS X-Ray." https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

ddddddddd

dddddddddddd

The engineering team is the one who build the Lambda function and the IAM role for this Lambda function. So the IAM role is about the rights to execute the Lambda function (not change or delete, etc).

D - IAM role and engg team assuming it is correct

Create an IAM role with a managed policy attached that has permission

D seems to suit the situation

This is clearly D

"The team must build roles and administer policies in AWS IAM in order to set the Lambda functions' rights." The problem to solve is to allow the engineering team to do this, C doesn't help the engineering team. D is the correct one.

A: Wrong. Lambda Functions don't assume an IAM role. It assumes execution role B. Wrong. Full Access is wrong C. Wrong. Is about team's permission. The managed policy is for team's permission, not for lambda execution role. D. Correct. AWS Managed Policy = Identity Policy = Permission Policy. Attach this policy to IAM role. The team assume this role

Keywords are "in order to set the Lambda functions' rights." which is about Lambda's rights on execution and not the user/teams' rights on triggering the lambda. Only C. talks about Lambda assuming the role with permission boundaries. Whereas D. talks about only users assuming the role with permission boundaries, This doesnt help if the Lambda itself has more permissions. So C. is the right answer.

D fo sho

i go for D