Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 105 discussion

Best way to check it... The question is taken from the example shown here in the documentation: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-lambda-permissions

The correct solution is D. Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service: events.amazonaws.com as the principal. The principle of least privilege requires that permissions are granted only to the minimum necessary to perform a task. In this case, the Lambda function needs to be able to be invoked by Amazon EventBridge (Amazon CloudWatch Events). To meet these requirements, you can add a resource-based policy to the function that allows the InvokeFunction action to be performed by the Service: events.amazonaws.com principal. This will allow Amazon EventBridge to invoke the function, but will not grant any additional permissions to the function.

Following the principle of least privilege, you should not grant Events the * privilege. Just enough to perform its job will do. Also, you need a resource-based policy to attach to the function, for Events to be able to execute the function

D is the correct answer

This is a good example article with nice learning material. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-run-lambda-schedule.html

Good explanation from ChatGPT: In order to adhere to the principle of least privilege when configuring permissions for an AWS Lambda function invoked by an Amazon EventBridge (CloudWatch Events) rule, the most appropriate solution would be: D. Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service: events.amazonaws.com as the principal. This solution involves attaching a resource-based policy to the Lambda function. It specifies that the only entity allowed to invoke the Lambda function is the Amazon EventBridge service (represented by the principal events.amazonaws.com) and restricts the action to only invoking the function (lambda:InvokeFunction). This aligns with the principle of least privilege by granting the necessary permissions explicitly to the service that needs them, without providing overly permissive access.

Is anyone can explain why B is can't be a good choice? The option adds the execution role to the function, with lambda:InvokeFunction as the action and Service: lambda.amazonaws.com as the body. This restricts the Lambda function to only the Lambda service, providing an effective layer of security. and fully complies with the principle of least privilege

why not choose B, an execution role is attached to lambda and a policy is attached to an execution role

lambda:InvokeFunction is the action needed to invoke the Lambda function. Service: events.amazonaws.com is the principal (the AWS service) that is allowed to invoke the Lambda function. In this case, you're explicitly allowing CloudWatch Events to invoke the function.

D * is BIG NO. And we are talking about policy --> hence D

In this solution, a resource-based policy is added to the Lambda function, which allows the specified principal (events.amazonaws.com) to invoke the function. The lambda:InvokeFunction action provides the necessary permission for the Amazon EventBridge rule to trigger the Lambda function. Option A is incorrect because it assigns the lambda:InvokeFunction action to all principals (*), which grants permission to invoke the function to any entity, which is broader than necessary. Option B is incorrect because it assigns the lambda:InvokeFunction action to the specific principal "lambda.amazonaws.com," which is the service principal for AWS Lambda. However, the requirement is for the EventBridge service principal to invoke the function. Option C is incorrect because it assigns the lambda:* action to the specific principal "events.amazonaws.com," which is the service principal for Amazon EventBridge. However, it grants broader permissions than necessary, allowing any Lambda function action, not just lambda:InvokeFunction.

Option C is incorrect, the reason is that, firstly, lambda:* allows Amazon EventBridge to perform any action on the function and this is beyond the minimum permissions needed.

Since its for Lamda which is a resource, resource policy is the trick

https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#lambda-permissions

The definition scope of D is the smallest, so is it

events.amazonaws.com is principal for eventbridge

Option D