Evaluate your understanding of Lambda execution roles and IAM permissions with targeted questions covering role assignment, least privilege principles, managed policies, and permission scopes for serverless environments. This quiz helps reinforce best practices in configuring access controls and securing serverless functions using correct IAM roles and permissions.
Which IAM permission is required for a Lambda function to write logs to a cloud-based logging service?
Explanation: logs:PutLogEvents is the permission needed for a Lambda function to write log events to the logging service. s3:GetObject is used for accessing storage objects, not logs. ec2:DescribeInstances is related to virtual machine instances and is irrelevant to logging here. lambda:InvokeFunction is for calling other functions, not for logging activities.
When creating a Lambda function that reads data from a storage bucket, which component is responsible for assigning the proper execution role to the function?
Explanation: The function configuration specifies which execution role the Lambda function assumes when running. The resource owner may have administrative rights, but does not assign the role directly. The client application interacts with the function but doesn't assign roles. Network firewall deals with traffic, not permission assignments.
Why is it important to apply the principle of least privilege when defining IAM permissions for a Lambda execution role?
Explanation: Applying the least privilege principle ensures the Lambda function only has access to the permissions it needs, reducing the risk of unauthorized actions if credentials are compromised. Network performance, code execution time, and storage costs are not directly affected by permission minimization. Excessive permissions do not influence speed or cost but can increase vulnerabilities.
What is a primary benefit of using managed policies with Lambda execution roles?
Explanation: Managed policies allow permissions to be managed centrally, making updates and reviews easier and more consistent across roles. Increased memory, faster deployment, and error correction are not influenced by managed policies, which are strictly about permission granularity and management.
An IAM role assigned to a Lambda function grants access to several resources. What determines which actions the function can perform?
Explanation: The attached policies define what actions the Lambda function can perform while using its execution role. Memory, timeout, and runtime version define resource usage and environment, not permissions. Without appropriate policy permissions, functions cannot interact with resources even if other settings are configured.
Which type of IAM role must be assigned to a Lambda function so it can access other services during execution?
Explanation: The execution role is specifically designed to grant Lambda functions permissions to access required resources during their execution. Service control policies are applied for broader organizational controls. Session profiles and administrator accounts are not roles that Lambda assumes for resource access.
A Lambda function should read data from one bucket but not modify it. Which permission should be included in its role?
Explanation: s3:GetObject is the permission needed for reading objects from a bucket without modifying them. s3:PutObject allows uploads, s3:DeleteBucket deletes the entire bucket, and s3:CreateBucket creates new buckets. Granting only s3:GetObject limits unintended changes to stored data.
If your Lambda function only needs to list items in a database, which type of IAM policy action is appropriate?
Explanation: dynamodb:Scan allows reading all items in a database table. dynamodb:PutItem is for creating or editing items. dynamodb:DeleteTable deletes entire tables, and dynamodb:UpdateItem allows item modification. Listing items does not require write or delete actions, so only the scan action is appropriate.
To grant a Lambda function permission to write data to a storage bucket, where must the access policy be attached?
Explanation: Permissions must be attached to the Lambda execution role so that the function receives them during execution. Attaching policies to the code itself does nothing, as policy enforcement is not applied that way. Client devices and network firewalls do not control Lambda's permissions within the environment.
How can a Lambda execution role be configured to access multiple services, such as storage and messaging?
Explanation: By attaching relevant policies for all required services to the execution role, Lambda can access each service as needed. Using separate roles for each service is not supported for a single function at a time. Memory and timeout settings impact performance but not permission scopes.