Configuring Lambda Function Permissions for IAM Entities in a Different AWS Account
Question
Your team builds up a Lambda function in your AWS account that analyzes the data stored in DynamoDB and forwards the analysis result to an SQS queue.
IAM users and roles from another AWS account (123456789012) also need to invoke the Lambda function. You are responsible for configuring the permissions so that IAM entities in the account (123456789012) can invoke the Lambda function properly.
Which of the following options would you choose?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because to allow other AWS accounts, users can grant IAM entities from another AWS account to access the Lambda function by adding a suitable Lambda function policy.
Option B is incorrect because the account ID should be put in the principal field rather than the resource field.
Option C is incorrect because the cross-account role should be created in the AWS account of the Lambda function.
Option D is incorrect because the account ID should be inserted in the principal field of the Lambda function policy.
$ aws lambda add-permission --function-name test-function:prod --statement-id xaccount --action lambda:InvokeFunction --principal 123456789012 --output text.
Reference:
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountinvoke.The correct answer is C. Sign in to the other account (123456789012) and configure a cross-account IAM role with permissions to invoke the Lambda function. IAM entities assume the role before executing the function.
Explanation: The scenario requires IAM users and roles in a different AWS account to invoke a Lambda function in your account. This scenario requires cross-account access, which can be set up by configuring cross-account IAM roles.
Option A, specifying the account ID (123456789012) as the principal in the Lambda function policy, would allow the IAM entities in the account (123456789012) to invoke the Lambda function, but this is not a recommended practice for cross-account access. Additionally, if the policy is not updated in the other AWS account to allow access to the Lambda function, it would not work.
Option B, granting permissions to the AWS account (123456789012) in the Lambda resource policy by specifying the account ID as the resource, would also allow the IAM entities in the account (123456789012) to invoke the Lambda function, but this is not the recommended approach for cross-account access. This approach grants access to the entire resource, not just specific actions.
Option D, specifying the account ID (123456789012) as the trusted entity in the Lambda function policy and permitting IAM entities in the account (123456789012) to use the Invoke Lambda API, would allow the IAM entities to invoke the Lambda function, but this is not the recommended approach for cross-account access. This approach does not provide fine-grained access control.
Option C, signing in to the other account (123456789012) and configuring a cross-account IAM role with permissions to invoke the Lambda function, is the recommended approach for granting cross-account access to a Lambda function. This approach provides fine-grained access control and allows the IAM entities in the other AWS account to assume a specific IAM role with only the permissions required to invoke the Lambda function.
In summary, the recommended approach for granting cross-account access to a Lambda function is to use a cross-account IAM role.
