Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 116 discussion

Option A meets these requirements?

A) Correct - Setting the AWS_IAM authentication type ensures that only IAM users or roles with the right permissions can invoke the Lambda function URLs. C) Eliminated - While this approach is secure, creating individual resource-based policies for hundreds of Lambda functions is unnecessarily complex and hard to manage. An identity-based policy (used in Option A) is simpler because it applies to the entire QA IAM group at once. B/D - Eliminated - Setting NONE as the auth type makes the Lambda function URLs publicly accessible without authentication.

Apologies again, please refer to the youtube link I shared earlier..correct ans is A

I think the answer is B here, reason being the function should be invoked using public urls

A is the correct answer.

This approach leverages AWS IAM authentication (AWS_IAM auth type) for Lambda function URLs, ensuring that only authenticated and authorized IAM entities can invoke the Lambda functions. By creating an IAM policy that specifies the lambda:InvokeFunctionUrl action and attaching it to the QA IAM group, you provide the necessary permissions for the QA team to invoke the Lambda functions securely. This method aligns with AWS best practices for security and access control, allowing for scalable and manageable access management across multiple Lambda functions.

I don't know why so much A, but ins't A giving the access to all the lambda?

I have to go for A even though it appears both should suffice. I took this from AWS Documentation If you choose the AWS_IAM auth type, users who need to invoke your Lambda function URL must have the lambda:InvokeFunctionUrl permission. Depending on who makes the invocation request, you may have to grant this permission using a resource-based policy. If the principal making the request is in the same AWS account as the function URL, then the principal must either have lambda:InvokeFunctionUrl permissions in their identity-based policy, OR have permissions granted to them in the function's resource-based policy. AWS clearly states both should be good. The reason for selecting A is the wording is clear, loop on to lambda function to provide the permission was bit of confusing to me.

I don't get all A answers. This is typical resource based policy that allows invoking a function by concrete principal - in this case its the QA role. For all those who vote for A - go ahead and create simple API Gateway with a lambda integration type. Then look at the resource based policy - lambda:InvokeFunction allowed by apigateway.amazonaws.com with ArnLike condition. ChatGTP also says C.

Explanation: In this scenario, the QA team needs to test AWS Lambda functions using Lambda function URLs while ensuring proper authentication and access control. Here's why option C is the appropriate solution: Authentication Type: Using the AWS_IAM auth type for the Lambda function URLs ensures that the Lambda functions can be invoked only by users and roles that have the necessary IAM permissions. Identity-Based Policy: By creating an IAM identity-based policy, you grant permissions directly to the QA IAM group to invoke the Lambda functions using the Lambda function URLs. This provides fine-grained control over which IAM entities can access the functions. Option A uses the AWS_IAM auth type and creates a policy for the QA IAM group, which is a good direction. However, the creation of a policy that allows lambda:InvokeFunctionUrl for all Lambda function ARNs might grant excessive permissions.