Learn about the essential IAM entities required for a Lambda function to interact with other AWS services, such as DynamoDB. Discover the roles of trust policies and IAM policies in granting necessary permissions.
Table of Contents
Question
Which of the following IAM entities must be included in an execution role for a Lambda function to interact with other services, such as DynamoDB? (Select TWO.)
A. AWS Serverless Application Model (AWS SAM) to help manage your policies.
B. IAM user with admin permissions to Lambda and DynamoDB
C. IAM group defining users of the Lambda function
D. Trust policy that grants “AssumeRole” permission to Lambda to act on DynamoDB
E. IAM policy that defines the actions that can be taken within DynamoDB
Answer
D. Trust policy that grants “AssumeRole” permission to Lambda to act on DynamoDB
E. IAM policy that defines the actions that can be taken within DynamoDB
Explanation
You need both the IAM policy that defines the actions Lambda can take and a trust policy that grants Lambda the “AssumeRole” permission. You do not have to create any IAM users or groups to allow Lambda to take action.
To enable a Lambda function to interact with other AWS services, such as DynamoDB, the following two IAM entities must be included in the execution role:
D. Trust policy that grants “AssumeRole” permission to Lambda to act on DynamoDB
E. IAM policy that defines the actions that can be taken within DynamoDB
A trust policy (D) is crucial as it grants the Lambda function the permission to assume the execution role. This trust relationship allows the Lambda function to act on behalf of the role and access the necessary resources, such as DynamoDB.
An IAM policy (E) is equally important as it defines the specific actions and permissions that the Lambda function can perform within the DynamoDB service. This policy determines the level of access the function has, such as read, write, or delete operations on the DynamoDB tables.
The other options mentioned are not directly required for a Lambda function to interact with DynamoDB:
A. AWS Serverless Application Model (AWS SAM) is a framework that helps manage and deploy serverless applications, but it is not a mandatory IAM entity for the execution role.
B. An IAM user with admin permissions to Lambda and DynamoDB is not necessary. The Lambda function assumes the execution role, which should have the required permissions defined in the IAM policy.
C. An IAM group is used to manage permissions for multiple IAM users, but it is not directly involved in granting permissions to a Lambda function to interact with DynamoDB.
In summary, the essential IAM entities for a Lambda function to interact with DynamoDB are a trust policy that allows the function to assume the execution role and an IAM policy that defines the specific permissions within DynamoDB. These entities ensure that the Lambda function has the necessary access rights to perform its intended operations on the DynamoDB service.
Getting Started with Serverless EDSELEv1EN-US assessment question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Getting Started with Serverless EDSELEv1EN-US assessment and earn Getting Started with Serverless EDSELEv1EN-US badge.