Q16 — AWS DOP-C02 Ch.3

Question 16 of 100 | ← Chapter 3

A DevOps team created a custom AWS Config rule using an AWS Lambda function. The rule monitors ECR repository policy statements for ECR:* actions. When a noncompliant repository is detected, Amazon EventBridge uses Amazon Simple Notification Service (Amazon SNS) to route notifications to the security team. When evaluating the custom AWS Config rule, the AWS Lambda function fails to execute. Which solution resolves this?

Correct Answer: A. Modify the Lambda function’s resource policy to grant AWS Config permission to invoke the function.

Explanation

For AWS Config to invoke a Lambda function during custom rule evaluation, the Lambda function’s resource policy must explicitly permit AWS Config as a principal. The resource policy governs which services are authorized to invoke the function. AWS documentation states that when creating a custom Config rule, the Lambda resource policy must include AWS Config as a permitted invoker. Option A directly addresses the root cause—missing invocation permission. Options B, C, and D address unrelated concerns (SNS publishing, execution role permissions, or ECR policy grants) and do not resolve AWS Config’s inability to invoke the Lambda function.