Home › Forums › AWS › AWS Certified Solutions Architect Associate › Bonus Review Mode set 7 › Reply To: Bonus Review Mode set 7
-
Hi RachnaV,
IAM roles do not support the Principal element in their identity-based policies. Identity-based policies are attached to IAM identities, which could be users, groups, or roles. These policies define what actions the attached identity can perform on AWS resources. Therefore, you don’t need to specify the principal in the policy as it’s implicit that the policy is associated with the identity.
Resource-based policies are attached directly to a resource (like an S3 bucket or a Lambda function). These policies define who (which principals) can access that resource and what actions they can perform on it.
Hence, the correct answer is: On the function’s resource-based policy, add a permission that includes the lambda:InvokeFunction as action and arn:aws:iam::[DEV AWS Account Number]:root as principal.
This solution uses a resource-based policy, which is a policy attached directly to a resource (in this case, the Lambda function). The policy defines who (which principals) can access that resource and what actions they can perform on it. In this case, you’re allowing the development team’s AWS account (specified by the ARN arn:aws:iam::[DEV AWS Account Number]:root) to invoke the Lambda function (lambda:InvokeFunction).
I hope this helps. If you have any further questions, please don’t hesitate to contact us.
Regards,
JR @ Tutorials Dojo