Amazon Exam DOP-C02 Topic 5 Question 35 Discussion

Actual exam question for Amazon's DOP-C02 exam

Question #: 35
Topic #: 5

A DevOps learn has created a Custom Lambda rule in AWS Config. The rule monitors Amazon Elastic Container Repository (Amazon ECR) policy statements for ecr:' actions. When a noncompliant repository is detected, Amazon EventBridge uses Amazon Simple Notification Service (Amazon SNS) to route the notification to a security team.

When the custom AWS Config rule is evaluated, the AWS Lambda function fails to run.

Which solution will resolve the issue?

AModify the Lambda function's resource policy to grant AWS Config permission to invoke the function.

BModify the SNS topic policy to include configuration changes for EventBridge to publish to the SNS topic.

CModify the Lambda function's execution role to include configuration changes for custom AWS Config rules.

DModify all the ECR repository policies to grant AWS Config access to the necessary ECR API actions.
Step 1: Understanding Lambda Permissions and AWS Config
The custom AWS Config rule evaluates resources and invokes an AWS Lambda function when a compliance check is triggered. For AWS Config to invoke the Lambda function, it requires permission to do so.
Issue: The Lambda function fails to execute because AWS Config doesn't have permission to invoke it.
Action: Modify the resource-based policy of the Lambda function to grant AWS Config permission to invoke the Lambda function.
Why: Without this permission, AWS Config cannot trigger the Lambda function, which is why the evaluation fails.

Show Suggested Answer

Suggested Answer: A

This corresponds to Option A: Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function.

by Marge at Sep 19, 2024, 01:07 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Ariel

6 months ago

Hold up, what if the Lambda function is also responsible for publishing to the SNS topic? Then B might be the solution. Gotta love these tricky AWS exam questions!

upvoted 0 times

...

Tenesha

6 months ago

Haha, I bet the person who wrote this question was just trying to trick us. A is the clear winner here, no need to overcomplicate things.

upvoted 0 times

Shay

5 months ago

C) Modify the Lambda function's execution role to include configuration changes for custom AWS Config rules.

upvoted 0 times

...

Garry

5 months ago

B) Modify the SNS topic policy to include configuration changes for EventBridge to publish to the SNS topic.

upvoted 0 times

...

Holley

5 months ago

Definitely, no need to overthink it. A is the clear winner.

upvoted 0 times

...

Nan

5 months ago

A) Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function.

upvoted 0 times

...

Lonny

5 months ago

I agree, A is the best solution. Simple and straightforward.

upvoted 0 times

...

Mee

5 months ago

A) Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function.

upvoted 0 times

...

Marquetta

6 months ago

I also think modifying the Lambda function's resource policy is the correct solution. It makes sense to grant AWS Config permission to invoke the function.

upvoted 0 times

...

Helaine

6 months ago

I agree with Levi. Without the permission, AWS Config cannot trigger the Lambda function, causing the evaluation to fail.

upvoted 0 times

...

Wai

6 months ago

Hmm, I'm not sure. Wouldn't D also work? Giving AWS Config access to the ECR API actions might be another way to resolve the problem.

upvoted 0 times

...

Levi

6 months ago

I think the solution is to modify the Lambda function's resource policy to grant AWS Config permission to invoke the function.

upvoted 0 times

...

Avery

6 months ago

I think C is the way to go. Modifying the Lambda function's execution role to include the necessary permissions for the custom Config rule should do the trick.

upvoted 0 times

Jess

6 months ago

D: I agree. Without the necessary permissions, the Lambda function won't be able to run when triggered by AWS Config.

upvoted 0 times

...

Sabra

6 months ago

C: A sounds like the correct solution. Granting AWS Config permission to invoke the function is crucial for it to work properly.

upvoted 0 times

...

Fausto

6 months ago

B: That makes sense. It's important to ensure that AWS Config has the permission to invoke the Lambda function.

upvoted 0 times

...

Leah

6 months ago

A: I think C is the way to go. Modifying the Lambda function's execution role to include the necessary permissions for the custom Config rule should do the trick.

upvoted 0 times

...

India

6 months ago

The solution is definitely A. AWS Config needs permission to invoke the Lambda function, and that's what the resource policy is for. Anything else won't fix the issue.

upvoted 0 times

Kent

5 months ago

C: Definitely, without granting permission, AWS Config can't trigger the Lambda function.

upvoted 0 times

...

Socorro

5 months ago

B: Yeah, modifying the Lambda function's resource policy is the way to go.

upvoted 0 times

...

Dyan

6 months ago

A: I think the solution is A. AWS Config needs permission to invoke the Lambda function.

upvoted 0 times

...