← Back to exam page

AWS-Certified-Security-Specialty-SCS-C01 – AWS Certified Security - Specialty (SCS-C01)

Loading demo links...

Showing 19–20 of 20 questions

Question 19

A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is

triggered whenever an object is stored within the S3 bucket.

How should the Lambda function be given access to the DynamoDB table?

Please select:

Select an option, then click Submit answer.

○
Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
○
Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.
○
Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
○
Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Reference / correct answer:

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function

The IAM Documentation additionally mentions the following

Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what IAM Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role:

If your Lambda function code accesses other IAM resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role.

If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), IAM Lambda polls these streams on your behalf. IAM Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role.

Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB

Option B is invalid because resources policies are present for resources such as S3 and KMS, but not IAM Lambda

Option C is invalid because IAM Roles should be used and not IAM Users

For more information on the Lambda permission model, please visit the below URL:

https://docs.IAM.amazon.com/lambda/latest/dg/intro-permission-model.html

The correct answer is: Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Submit your Feedback/Queries to our Exp

Question 20

A Security Engineer is trying to determine whether the encryption keys used in an IAM service are in compliance with certain regulatory standards.

Which of the following actions should the Engineer perform to get further guidance?

Select an option, then click Submit answer.

○
Read the IAM Customer Agreement.
○
Use IAM Artifact to access IAM compliance reports.
○
Post the question on the IAM Discussion Forums.
○
Run IAM Config and evaluate the configuration outputs.

← Prev 1 2 3 4 5 6 7 Next →

Page 7 of 7

Sale Ends In

2h 0m 0s