Q2 — AWS SCS-C02 Ch.1
Question 2 of 100 | ← Chapter 1
A security engineer is troubleshooting an AWS Lambda function that is named MyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy: Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?
- A. Remove the Condition element. Change the Principal element to the following:  
- B. Change the Action element to the following:
- C. Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".   ✓
- D. Change the Resource element to "arn:aws:lambda::function:MyLambdaFunction". Change the Principal element to the following:
Correct Answer: C. Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".  
Explanation
根据题目描述,Lambda函数在尝试读取DOC-EXAMPLE-BUCKET中的对象时遇到错误。Bucket Policy中的Condition元素使用了ArnLike条件,但可能是匹配规则不正确或不够具体。选项C将Resource元素修改为更具体的ARN格式,确保Lambda函数能够正确识别和资源访问。这是最直接和有效的解决方案。