Q87 — AWS SOA-C02 Ch.1
Question 87 of 100 | ← Chapter 1
A company has an AWS Lambda function in Account A. The Lambda function needs to read the objects in an Amazon S3 bucket in Account B. A SysOps administrator must create corresponding IAM roles in both accounts. Which solution will meet these requirements?
- A. In Account A, create a Lambda execution role to assume the role in Account B. In Account B, create a role that the function can assume to gain access to the S3 bucket. ✓
- B. In Account A, create a Lambda execution role that provides access to the S3 bucket. In Account B, create a role that the function can assume.
- C. In Account A, create a role that the function can assume. In Account B, create a Lambda execution role that provides access to the S3 bucket.
- D. In Account A, create a role that the function can assume to gain access to the S3 bucket. In Account B, create a Lambda execution role to assume the role in Account A.
Correct Answer: A. In Account A, create a Lambda execution role to assume the role in Account B. In Account B, create a role that the function can assume to gain access to the S3 bucket.
Explanation
AWS跨账户访问场景中,通常需要在请求方账户创建执行角色,在资源方账户创建可被委托的角色。Lambda位于Account A,需通过角色跨账户访问Account B的S3。正确配置为:在Account A创建Lambda执行角色,授予其权限以承担Account B中的角色;在Account B创建被委托角色,附加S3访问策略,并信任Account A的Lambda执行角色。选项A符合此模式,其他选项混淆了角色位置或权限配置方向。AWS安全文档指出,跨账户访问需建立信任关系并通过角色委托实现。