Q86 — AWS DEA-C01 Ch.1
Question 86 of 100 | ← Chapter 1
A data engineer creates an AWS Lambda function that an Amazon EventBridge event will invoke. When the data engineer tries to invoke the Lambda function by using an EventBridge event, an AccessDeniedException message appears. How should the data engineer resolve the exception?
- A. Ensure that the trust policy of the Lambda function execution role allows EventBridge to assume the execution role.
- B. Ensure that both the IAM role that EventBridge uses and the Lambda function's resource-based policy have the necessary permissions. ✓
- C. Ensure that the subnet where the Lambda function is deployed is configured to be a private subnet.
- D. Ensure that EventBridge schemas are valid and that the event mapping configuration is correct.
Correct Answer: B. Ensure that both the IAM role that EventBridge uses and the Lambda function's resource-based policy have the necessary permissions.
Explanation
AWS服务间调用的权限设置通常涉及调用方IAM策略和被调用方资源策略的双重授权。AWS文档指出,当EventBridge触发Lambda时,EventBridge需具备lambda:InvokeFunction权限的IAM角色,同时Lambda函数的资源策略必须授权EventBridge服务(events.amazonaws.com)调用。选项A错误,因Lambda执行角色的信任策略关联的是Lambda服务本身而非EventBridge。选项C的网络配置不解决权限错误。选项D的事件结构问题通常导致其他错误类型。正确选项B对应IAM角色和资源策略的权限组合要求。