Q21 — AWS SCS-C02 Ch.1
Question 21 of 100 | ← Chapter 1
A company is developing a new serverless application that uses AWS Lambda functions.The company uses AWS CloudFormation to deploy the Lambda functions. The company's developers are trying to debug a Lambda function that is deployed.The developers cannot debug the Lambda function because the Lambda function is not logging its output to Amazon CloudWatch Logs. Which combination of steps should a security engineer take to resolve this issue?(Choose two.)
- A. Checkthe role that is defined in the CloudFormation template and is passed to the Lambda function.Ensure that the role has a trust policy that allowsthe sts:AssumeRole action by the service principal lambda amazonaws.com. ✓
- B. Check the execution role that is configured in the CloudFormation template for the Lambda function.Ensure that the execution role hasl the necessary permissions to write to CloudWatch Logs. ✓
- C. Check the Lambda function configuration in the CloudFormation template. Ensure thatthe Lambda function has an AWS X-Ray tracing configuration that is set to Active mode or PassThrough mode.
- D. Check the resource policy that is configured in the CloudFormation template for the Lambda function. Ensure that the resource policy has the necessary permissions to write to CloudWatch Logs.
- E. Check the role that the developers use to debug the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda.amazonaws.com.
Correct Answer: A. Checkthe role that is defined in the CloudFormation template and is passed to the Lambda function.Ensure that the role has a trust policy that allowsthe sts:AssumeRole action by the service principal lambda amazonaws.com., B. Check the execution role that is configured in the CloudFormation template for the Lambda function.Ensure that the execution role hasl the necessary permissions to write to CloudWatch Logs.
Explanation
AWS Lambda函数需要具有适当权限的执行角色才能将日志写入Amazon CloudWatch Logs。AWS文档指出,Lambda执行角色必须包含对logs:CreateLogGroup、logs:CreateLogStream和logs:PutLogEvents的权限。此外,角色的信任策略必须允许Lambda服务(lambda.amazonaws.com)担任该角色。选项A涉及的信任策略确保Lambda服务可以担任执行角色,选项B确保执行角色具备写入CloudWatch Logs的必要权限。其他选项中,X-Ray配置(C)和资源策略(D)与日志写入权限无关,开发者的角色权限(E)不影响Lambda本身的执行权限。