Q85 — AWS DVA-C02 Ch.3
Question 85 of 100 | ← Chapter 3
A company has multiple AWS Lambda functions. The company's QA team needs to test these Lambda functions using Lambda function URLs. Developers need to configure Lambda function authentication to allow access so that QA IAM users can invoke the Lambda functions using the public URL. Which solution meets these requirements?
- A. Create a CLI script that iterates over the Lambda functions to add Lambda function URLs with AWS IAM authentication type. Run another script to create an IAM identity-based policy allowing the lambda:InvokeFunctionUrl action on all Lambda function Amazon Resource Names (ARNs). Attach the policy to the QA IAM group. ✓
- B. Create a CLI script that iterates over the Lambda functions to add Lambda function URLs with NONE authentication type. Run another script to create an IAM resource-based policy allowing the lambda:InvokeFunctionUrl action on all Lambda function ARNs. Attach the policy to the QA IAM group.
- C. Create a CLI script that iterates over the Lambda functions to add Lambda function URLs with AWS IAM authentication type. Run another script to iterate over the Lambda functions to create an IAM identity-based policy allowing the lambda:InvokeFunctionUrl action from the QA IAM group's ARN.
- D. Create a CLI script that iterates over the Lambda functions to add Lambda function URLs with NONE authentication type. Run another script to iterate over the Lambda functions to create an IAM resource-based policy allowing the lambda:InvokeFunctionUrl action from the QA IAM group's ARN.
Correct Answer: A. Create a CLI script that iterates over the Lambda functions to add Lambda function URLs with AWS IAM authentication type. Run another script to create an IAM identity-based policy allowing the lambda:InvokeFunctionUrl action on all Lambda function Amazon Resource Names (ARNs). Attach the policy to the QA IAM group.
Explanation
Lambda function URLs with AWS IAM authentication type require callers to authenticate using AWS IAM credentials, which is a secure approach ensuring only authorized users can invoke the Lambda functions. Creating an IAM policy: The CLI script iterates over all Lambda functions and creates an IAM identity-based policy allowing the QA IAM group to perform the lambda:InvokeFunctionUrl action on all Lambda function ARNs. This enables the QA team to test using the public Lambda function URLs. Attaching the policy to the QA IAM group grants members of that group permission to invoke the Lambda functions. Why other options are unsuitable: Options B and D use NONE authentication type for Lambda function URLs, which is insecure because it allows anyone to invoke the Lambda functions without authentication—violating security best practices, especially in production environments. Option C mentions both AWS IAM authentication type and IAM identity-based policies, but this combination is ambiguous and inconsistent with standard Lambda function URL configuration patterns. Therefore, Option A provides the correct and secure method to configure Lambda functions for QA testing via public URLs.