Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Get Certified in Cloud Security - $4 OFF our AWS Security Specialty and AZ-500 Azure Security Engineer Associate Practice Exams!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Associate Bonus Review Mode set 7

  • Bonus Review Mode set 7

  • RachnaV

    Member
    October 11, 2023 at 2:44 am

    I have having a doubt for question 36 explanation about IAM roles do not support principal element. However the correct option also has principal element. Can you please elaborate on the below explanation specifically on the second IAM role part.

    We can automatically cross out the options that mention the execution role for two reasons. First, execution roles grant Lambda functions access to other AWS services. You can’t use it to control which entity can invoke the function. Second, IAM roles, in general, do not support the principal element. Hence, the following options are incorrect:

    Thanks

  • JR-TutorialsDojo

    Administrator
    October 16, 2023 at 2:53 pm

    Hi RachnaV,

    Could you please post a snippet of the question so we can look it up?

    Thanks,
    JR @ Tutorials Dojo

    • RachnaV

      Member
      October 18, 2023 at 11:30 am

      A serverless application has been launched on the DevOps team’s AWS account. Users from the development team’s account must be granted permission to invoke the Lambda function that runs the application. The solution must use the principle of least privilege access.

      Which solution will fulfill these criteria?

      • JR-TutorialsDojo

        Administrator
        October 25, 2023 at 9:08 am

        Hi RachnaV,

        IAM roles do not support the Principal element in their identity-based policies. Identity-based policies are attached to IAM identities, which could be users, groups, or roles. These policies define what actions the attached identity can perform on AWS resources. Therefore, you don’t need to specify the principal in the policy as it’s implicit that the policy is associated with the identity.

        Resource-based policies are attached directly to a resource (like an S3 bucket or a Lambda function). These policies define who (which principals) can access that resource and what actions they can perform on it.

        Hence, the correct answer is: On the function’s resource-based policy, add a permission that includes the lambda:InvokeFunction as action and arn:aws:iam::[DEV AWS Account Number]:root as principal.

        This solution uses a resource-based policy, which is a policy attached directly to a resource (in this case, the Lambda function). The policy defines who (which principals) can access that resource and what actions they can perform on it. In this case, you’re allowing the development team’s AWS account (specified by the ARN arn:aws:iam::[DEV AWS Account Number]:root) to invoke the Lambda function (lambda:InvokeFunction).

        I hope this helps. If you have any further questions, please don’t hesitate to contact us.

        Regards,
        JR @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now