Amazon Exam SCS-C01 Topic 2 Question 65 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 65
Topic #: 2

A Security Engineer has created an Amazon CloudWatch event that invokes an IAM Lambda function daily. The Lambda function runs an Amazon Athena query that checks IAM CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the IAM Console, and the function runs successfully.

After several minutes, the Engineer finds that his Athena query has failed with the error message: ''Insufficient Permissions''. The IAM permissions of the Security Engineer and the Lambda function are shown below:

Security Engineer

Lambda function execution role

What is causing the error?

AThe Lambda function does not have permissions to start the Athena query execution.

BThe Security Engineer does not have permissions to start the Athena query execution.

CThe Athena service does not support invocation through Lambda.

DThe Lambda function does not have permissions to access the CloudTrail S3 bucket.

Show Suggested Answer

Suggested Answer: C, E

To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

by Merilyn at Jul 10, 2024, 11:33 AM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Gregoria

8 months ago

Oof, this is a tough one. I'm leaning towards B and E. The security engineer needs to bridge the gap between the development and security accounts to get this resolved.

upvoted 0 times

Anastacia

7 months ago

B: E) Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

upvoted 0 times

...

Reuben

8 months ago

A: B) In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

upvoted 0 times

...

Jill

8 months ago

Haha, this reminds me of that time I accidentally locked myself out of my own house. Anyway, I'm going with B and E. Gotta make sure the roles and policies are set up correctly across both accounts.

upvoted 0 times

Lenora

7 months ago

B: Exactly, that way the new Lambda function can use the KMS key without any issues.

upvoted 0 times

...

Oneida

7 months ago

A: The key policy in the security account needs to allow access to the IAM role of the new Lambda function in the development account.

upvoted 0 times

...

Colene

7 months ago

B: Totally, and attaching a key policy that allows access to the KMS key in the security account is a must.

upvoted 0 times

...

Mary

8 months ago

A: Yeah, setting up the IAM role for the new Lambda function in the development account is crucial.

upvoted 0 times

...

Rossana

9 months ago

I think option E could also be a valid solution. Configuring a key policy for the KMS key to allow access to the IAM role in the development account.

upvoted 0 times

...

Nikita

9 months ago

Hmm, this seems like a tricky one. I'd go with B and D. Configuring the IAM role in the development account and the key policy in the security account should do the trick.

upvoted 0 times

Yuki

7 months ago

A: Let's go ahead and implement those steps to see if it resolves the problem with the Lambda function.

upvoted 0 times

...

Ezekiel

7 months ago

B: Agreed, setting up the IAM role in the development account and adjusting the key policy in the security account should resolve the access issue.

upvoted 0 times

...

Carlee

8 months ago

A: I think we should go with option B and D. That way we cover both the IAM role and key policy.

upvoted 0 times

...

Audry

8 months ago

Definitely, B and D seem like the right combination of steps to resolve the problem.

upvoted 0 times

...

Louis

8 months ago

Agreed, setting up the IAM role in the development account and the key policy in the security account should solve the issue.

upvoted 0 times

...

Blossom

8 months ago

I think B and D are the way to go. It's all about configuring the IAM role and key policy.

upvoted 0 times

...

Lavonna

9 months ago

I believe option A is correct. It makes sense to configure the IAM role and attach the necessary policy for access.

upvoted 0 times

...

Bernardo

9 months ago

I agree with Kyoko. They should also attach an IAM policy that allows access to the KMS key in the security account.

upvoted 0 times

...

Lashandra

9 months ago

I think the answer is B and E. The developer needs to configure an IAM role in the development account and attach a key policy in the security account to allow access to the KMS key.

upvoted 0 times