ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 350 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 350
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer is developing automation that uses an AWS Lambda function to add tags to non-compliant IAM users and IAM roles. During testing, the function fails to perform the tagging action. When the security engineer attempts to look at the associated Amazon CloudWatch log group, no logs are being generated. After additional troubleshooting, the security engineer determines that the issue is related to the associated Lambda execution role.

Which statement should the security engineer add to the Lambda execution role to ensure functionality while following the principle of least privilege?

  • A.
  • B.
  • C.
  • D.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by landsamboni at Dec. 1, 2022, 1:52 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
minori
Highly Voted 2 years, 5 months ago
D. aws:PrincipalArn use following: IAM role IAM user AWS STS federated user session AWS account root user and lambda arn is not in it.
upvoted 7 times
...
Un1c0rn
Highly Voted 2 years, 4 months ago
Selected Answer: D
D-It should be SourceARN not PrincipalARN Use SourceARN to compare the (ARN) of the resource making a "service-to-service" request with the ARN that you specify in the policy. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#:~:text=aws%3ASourceArn,ARN%20that%20you%20specify%20in%20the%20policy.
upvoted 5 times
kujin
2 years, 2 months ago
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#:~:text=you%20are%20using.-,aws%3ASourceArn,-Works%20with%20ARN
upvoted 1 times
...
...
6_8ftwin
Most Recent 1 year, 11 months ago
D CalledVia is used to specify a service, not a specific ARN. Also, Lambda is not included as one of these services.
upvoted 1 times
...
sakibmas
2 years, 4 months ago
Selected Answer: D
B - wrong condition - CalledVia C- wrong permission - CreateLog
upvoted 1 times
...
secdaddy
2 years, 4 months ago
I struggle with SourceArn vs PrincipalArn Looking at this a different way though, I note that tagging doesn't work and that of the four policies, none of the tag related Actions change so it follows that the problem isn't the Actions but some other part of the policy. The only part of the policy that changes, between the four options and not looking at Actions, is the PrincipalArn vs SourceArn condition. So I guess D on this basis
upvoted 1 times
...
Subs2021
2 years, 4 months ago
Selected Answer: D
Ans: D
upvoted 1 times
...
john99291
2 years, 5 months ago
So it might be A, but why not C? It's least privilege than A.
upvoted 1 times
...
Phongsanth
2 years, 5 months ago
Selected Answer: A
A good for me B Use Via service C not enough permission as others D Use SourceArn Refer to this wording. Use this key to compare the Amazon Resource Name (ARN) of the resource making a service-to-service request with the ARN that you specify in the policy. This key does not work with the ARN of the principal making the request. Instead, use aws:PrincipalArn. The source's ARN includes the account ID, so it is not necessary to use aws:SourceAccount with aws:SourceArn. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
upvoted 1 times
...
AdamWest
2 years, 5 months ago
Selected Answer: D
D - Is the answer In the answer B it uses the Calledvia which relates to Athena context Key - not execution https://docs.aws.amazon.com/athena/latest/ug/security-iam-athena-calledvia.html
upvoted 1 times
...
landsamboni
2 years, 5 months ago
Selected Answer: D
Answer: D.
upvoted 3 times
Teknoklutz
2 years, 5 months ago
WHy not B ?
upvoted 1 times
Smartphone
2 years, 3 months ago
B - wrong condition - CalledVia
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago