A company is deploying a serverless workload. A solutions architect must follow least privilege when configuring permissions for an AWS Lambda function. An Amazon EventBridge (Amazon CloudWatch Events) rule will invoke the function. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service: events.amazonaws.com as the principal..
Why this is the answer
The correct solution is to add a resource-based policy to the Lambda function. This policy grants permission to the EventBridge service (Service: events.amazonaws.com) to invoke the specific Lambda function (lambda:InvokeFunction). This adheres to the principle of least privilege because it explicitly allows only EventBridge to invoke the function, and only for the InvokeFunction action. The incorrect options are: Adding an execution role with lambda:InvokeFunction and as the principal is incorrect because execution roles define what the Lambda function can do, not who can invoke it. Also, as a principal is overly permissive. Adding an execution role with lambda:InvokeFunction and Service: lambda.amazonaws.com as the principal is also incorrect for the same reason: execution roles define function permissions, not invocation permissions. Adding a resource-based policy with lambda: as the action is too broad. While the principal is correct, lambda: grants all Lambda actions, violating least privilege.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed