Clients can upload photos to an S3 bucket through a web application.
When a photo is uploaded successfully, a Lambda function needs to be invoked to get the file and perform some analysis.
You have already configured an event notification in the S3 bucket for the ObjectCreate events.
How would you configure the permissions to allow Amazon S3 to invoke the Lambda function?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
Lambda can be used to process event notifications from Amazon Simple Storage Service.
In this scenario, Amazon S3 should send an event to the Lambda function for processing when objects are created.
References can be found in https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html and.
https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html.Option A is incorrect: Because permissions in the Lambda execution role determine the permitted actions of the Lambda function.
However, this question asks for the permission to allow S3 to invoke the Lambda function.
Option B is incorrect: Because S3 bucket policy is a resource policy that configures who is allowed to perform actions on the S3 bucket.
It does not control whether or not the S3 bucket can invoke a Lambda function.
Option C is incorrect: Similar to Option.
B.
S3 ACL determines who and how the S3 bucket is accessed.
Option D is CORRECT: Because the Lambda function policy is used to permit a principal to invoke the function.
An example is as below:
{
"Sid": "event_permissions_for_TestFunction",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-southeast-1:xxxxxxxxxxxx:function:TestFunction",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "xxxxxxxxxxxx"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::s3-test"
}
}
}
To allow Amazon S3 to invoke a Lambda function when an object is uploaded to an S3 bucket, you need to configure the appropriate permissions.
The S3 bucket can be configured to invoke the Lambda function by creating an event notification for the ObjectCreate event in the S3 bucket. This event notification can be configured to invoke the Lambda function when an object is created in the S3 bucket.
To allow the S3 bucket to invoke the Lambda function, you can use option B: "Add permissions to the S3 bucket policy that allows the S3 bucket to invoke the Lambda function". This option involves adding a permission statement to the S3 bucket policy that grants permission for the S3 bucket to invoke the Lambda function.
The permission statement in the S3 bucket policy should include the ARN (Amazon Resource Name) of the Lambda function as the resource, and the "lambda:InvokeFunction" action as the permission. Additionally, you should specify the S3 bucket as the principal in the permission statement.
For example, the permission statement in the S3 bucket policy would look like this:
json{ "Id": "InvokeLambdaFunction", "Statement": [ { "Sid": "AllowS3BucketToInvokeLambdaFunction", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:region:account-id:function:function-name", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:s3:::bucket-name" } } } ] } In this example, "region" is the AWS region where the Lambda function is located, "account-id" is your AWS account ID, "function-name" is the name of the Lambda function, and "bucket-name" is the name of the S3 bucket.
Option A, adding permissions to the Lambda execution role that allows the function to perform the "s3:GetObject" action, is not necessary in this scenario, as the Lambda function is invoked by the S3 bucket and does not need to directly access the S3 bucket.
Option C, adding permissions to the S3 access control list (ACL) to permit the S3 bucket to invoke the Lambda function when an object is uploaded in the S3 bucket, is not valid, as the S3 ACL does not have the capability to allow another AWS service to perform an action.
Option D, adding permissions to the Lambda function access policy that allows the Amazon S3 bucket principal to perform the "lambda:InvokeFunction" action, is also not required, as the S3 bucket is the principal that invokes the Lambda function, not the other way around.