Q14 — AWS SAP-C02 Ch.1
Question 14 of 75 | ← Chapter 1
Q89. A company has several AWS accounts A development team is building an automation framework for cloud govemance and remediation processes. The automation framework uses AWS Lambda functions in a centralized account. A solutions architect must implement a least privilege permissions policy that allows the Lambda functions to nun in each of the company's AWS accounts. Which combination of steps will meet these requirements? (Select TWO)
- A. In the centralized account, create an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts ✓
- B. In the other AWS accounts, create an IAM role that has minimal permissions. Add the centralized account's Lambda IAM role as a trusted entity. ✓
- C. In the centralized account, create an IAM role that has roles of the other accounts as trusted entities.Provide minimal permissions
- D. In the other AWS accounts, create an IAM role that has permissions to assume the role of the centralized account Add the Lambda service as a trusted entity
- E. In the other AWS accounts, create an IAM role that has minimal permissions Add the Lambda service as a trusted entity
Correct Answer: A. In the centralized account, create an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts, B. In the other AWS accounts, create an IAM role that has minimal permissions. Add the centralized account's Lambda IAM role as a trusted entity.
Explanation
The combination of steps that will meet the requirements of implementing a least privilege permissions policy for Lambda functions to run in each of the company's AWS accounts are: A. In the centralized account, create an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts. B. In the other AWS accounts, create an IAM role that has minimal permissions. Add the centralized account's Lambda IAM role as a trusted entity. Explanation: Option A: Creating an IAM role in the centralized account with the Lambda service as a trusted entity allows the Lambda functions to assume this role. Adding an inline policy to assume the roles of the other AWS accounts allows the Lambda functions to assume the IAM roles in those accounts, providing the necessary permissions to run in each account. Option B: In each of the other AWS accounts, creating an IAM role with minimal permissions ensures that the Lambda functions have the least privilege necessary to perform their tasks. Adding the IAM role from the centralized account as a trusted entity allows the Lambda functions from the centralized account to assume this role in the other accounts. Option C is incorrect because creating an IAM role in the centralized account with the roles of the other accounts as trusted entities does not provide a direct solution for implementing a least privilege permissions policy for the Lambda functions. Option D is incorrect because creating an IAM role in the other AWS accounts with permissions to assume the role of the centralized account and adding the Lambda service as a trusted entity does not provide a complete solution for implementing a least privilege permissions policy. Option E is incorrect because creating an IAM role in the other AWS accounts with minimal permissions and adding the Lambda service as a trusted entity does not address the requirement of allowing the Lambda functions to run with least privilege permissions across multiple accounts. Therefore, the correct combination of steps is A and B.