ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Developer - Associate DVA-C02 All Questions

View all questions & answers for the AWS Certified Developer - Associate DVA-C02 exam
Go to Exam

Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 100 discussion

Exam question from Amazon's AWS Certified Developer - Associate DVA-C02
Question #: 100
Topic #: 1
[All AWS Certified Developer - Associate DVA-C02 Questions]

A company uses AWS Lambda functions and an Amazon S3 trigger to process images into an S3 bucket. A development team set up multiple environments in a single AWS account.

After a recent production deployment, the development team observed that the development S3 buckets invoked the production environment Lambda functions. These invocations caused unwanted execution of development S3 files by using production Lambda functions. The development team must prevent these invocations. The team must follow security best practices.

Which solution will meet these requirements?

  • A. Update the Lambda execution role for the production Lambda function to add a policy that allows the execution role to read from only the production environment S3 bucket.
  • B. Move the development and production environments into separate AWS accounts. Add a resource policy to each Lambda function to allow only S3 buckets that are within the same account to invoke the function.
  • C. Add a resource policy to the production Lambda function to allow only the production environment S3 bucket to invoke the function.
  • D. Move the development and production environments into separate AWS accounts. Update the Lambda execution role for each function to add a policy that allows the execution role to read from the S3 bucket that is within the same account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by junrun3 at May 15, 2023, 1:06 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AgboolaKun
Highly Voted 2 years, 2 months ago
Selected Answer: C
B is a wrong answer because I do not understand the need to move the environments to separate AWS accounts. The resource policy in the production environment can be used to control which S3 bucket invokes the function. In my understanding, the answer choice C fulfills the security best practices requirement in the question.
upvoted 29 times
MrPie
2 years ago
It's a best practice: Best Practices: Separate workloads using accounts: Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access. https://wa.aws.amazon.com/wat.question.SEC_1.en.html
upvoted 15 times
maurice2005
1 year, 4 months ago
There is nowhere mentioned in the question that workload is the problem!
upvoted 1 times
...
...
wh1t4k3r
11 months ago
"The team must follow security best practices" Security best practices state that prod should be separated from non prod environments.
upvoted 3 times
...
jipark
1 year, 11 months ago
resource policy totally fulfill requirement
upvoted 3 times
...
...
csG13
Highly Voted 2 years, 1 month ago
Selected Answer: B
I choose B because it says that the team should follow the best security practices. AWS well-architected framework suggests separation. For reference see the link below: https://wa.aws.amazon.com/wat.question.SEC_1.en.html
upvoted 23 times
...
wmv__
Most Recent 3 months, 1 week ago
Selected Answer: C
Amazon S3 can invoke a Lambda function only if the Lambda function's resource-based policy allows it. In this case, development S3 buckets are incorrectly configured to invoke the production Lambda function. This implies that the resource policy on the production Lambda function is too permissive. To fix this, you should restrict the Lambda function’s resource policy so that only the production S3 bucket has permission to invoke it.
upvoted 1 times
...
mooncake1
5 months, 3 weeks ago
Selected Answer: C
Separating account can be more secure and easy but maintenance will be more hard. It is developer's role and ability to distinguish and maintain between two environments, not just splitting them because it's easy. What AWS wants as a DVA Certificate Member is not a person who splits the accounts because its easy , but is able to use IAM properly.
upvoted 1 times
...
rkotit
5 months, 4 weeks ago
Selected Answer: C
When securing AWS Lambda functions, you must ensure that only authorized resources (like an S3 bucket) can trigger or invoke the function. In this scenario, the simplest and most effective solution is to use resource-based policies on the Lambda function to restrict access.
upvoted 1 times
...
sumanshu
6 months, 3 weeks ago
Selected Answer: C
A) Eliminated - This approach focuses on the Lambda function's ability to read from S3, not on which S3 buckets can invoke it. B) Eliminated - Moving environments to separate AWS accounts might improve isolation but is not necessary to solve the stated problem C) Correct - The resource policy in Option C restricts Lambda function invocations to only the intended production S3 bucket. This is a direct implementation of AWS's least privilege security model
upvoted 1 times
sumanshu
5 months, 1 week ago
B) can be correct While this does restrict invocation to the production S3 bucket, keeping both environments in the same account is not a best security practice. A single-account setup increases the risk of misconfigurations, accidental access, and security breaches.
upvoted 1 times
...
...
Dimix3
6 months, 4 weeks ago
Selected Answer: C
Option C focuses on securing the production Lambda function by adding a resource policy to restrict invocations. This policy would specify that only the production S3 bucket can trigger the production Lambda function. This prevents accidental invocations from development S3 buckets.
upvoted 1 times
...
nbxyzd
8 months, 2 weeks ago
Selected Answer: B
Pls pay attention to keywords when you do aws quizzes. The best security practice: option B The lowest operational cost: option C. So B is definitely the answer.
upvoted 2 times
...
AmitRanchi
9 months, 1 week ago
Selected Answer: C
Because- B. Move the development and production environments into separate AWS accounts: While moving to separate accounts is a good practice for environment isolation, it's a more complex and potentially costly solution. Also, it isn't strictly necessary to achieve the goal of preventing unauthorized invocations, which can be accomplished via resource policies. It adds overhead without directly addressing the root cause.
upvoted 1 times
...
Saudis
10 months, 1 week ago
Selected Answer: B
Best practices is the key Word
upvoted 1 times
...
Saurabh04
11 months, 2 weeks ago
Option D is correct. This approach ensures isolation while maintaining manageability
upvoted 1 times
...
queekao
11 months, 4 weeks ago
Selected Answer: C
Option C is the simplest way to achieve this requirement.
upvoted 1 times
nbxyzd
8 months, 2 weeks ago
Read carefully. The questions asks for 'the best' not the 'the simplest' security practice.
upvoted 1 times
...
...
Anandesh
12 months ago
Selected Answer: B
Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access
upvoted 1 times
...
Aws_aspr
1 year ago
Asked 18 July 24 WIthout security best practices word. So C is correct answer for this.
upvoted 1 times
...
65703c1
1 year, 1 month ago
Selected Answer: B
B is the correct amswer.
upvoted 1 times
...
SerialiDr
1 year, 4 months ago
Selected Answer: C
This approach involves configuring a resource-based policy (also known as a Lambda function policy) that explicitly defines which resources (in this case, S3 buckets) can invoke the Lambda function. By specifying only the production S3 bucket in the resource policy of the production Lambda function, you ensure that only events from the designated production S3 bucket can trigger the production Lambda function. This prevents development or other non-production buckets from inadvertently invoking production Lambda functions, thus maintaining environment integrity and security best practices.
upvoted 1 times
...
KarBiswa
1 year, 4 months ago
Selected Answer: D
I feel it is D as there is no doubt we need to separately create two accounts for DEV & PROD. After that there must lambda execution roles where we can the specific policies. Resource based policies more of a Cross Account access. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html https://repost.aws/knowledge-center/lambda-execution-role-s3-bucket As the question demands the best practices scenario so option D fulfils that.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel