Exam DOP-C01 All QuestionsBrowse all questions from this exam
Go to Exam
Question 159

A company is using an organization in AWS Organizations to manage multiple AWS accounts. The company's development team wants to use AWS Lambda functions to meet resiliency requirements and is rewriting all applications to work with Lambda functions that are deployed in a VPC. The development team is using Amazon Elastic File System (Amazon EFS) as shared storage in Account A in the organization.

The company wants to continue to use Amazon EFS with Lambda. Company policy requires all serverless projects to be deployed in Account B.

A DevOps engineer needs to reconfigure an existing EFS file system to allow Lambda functions to access the data through an existing EFS access point.

Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

    Correct Answer: A, D, F

    To enable Lambda functions in Account B to access the EFS file system in Account A, several steps need to be taken. Firstly, the EFS file system policy must be updated to grant Account B the necessary access permissions, including mounting and writing to the file system. Secondly, the Lambda execution roles must be updated to include permissions to access both the VPC and the EFS file system. Finally, the Lambda functions in Account B should be configured to assume an existing IAM role in Account A to allow for seamless access and operation across accounts.

Discussion
Bulti

AEF are the right answers. 1. Need to update the file system policy on EFS to allow mounting the file system into Account B. ## File System Policy $ cat file-system-policy.json { "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Principal": { "AWS": "arn:aws:iam::<aws-account-id-A>:root" # Replace with AWS account ID of EKS cluster } } ] } 2. Need VPC peering between Account A and Account B as the pre-requisite 3. Need to assume cross-account IAM role to describe the mounts so that a specific mount can be chosen.

vn_thanhtung

https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html why you need assume role ???

Dgix

ADE. Peering is needed. F is unnecessary.

AndrewD1234

At the time of writing this comment, there is no option E. Only A,B,C,D,F - E is missing. Sweet.

bgc1

AEF for me based on explanation here - https://aws.amazon.com/ru/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

PiccasoOptions: BF

E is lacking in the "Chosen Answer" E and F are obviously correct. I prefer B to A because of the least privilege principle.

Bulti

https://aws.amazon.com/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

saeidp

A D F for me

saeidp

ADE VPC peering is needed

Dimidrol

A D F for me

Dimidrol

https://aws.amazon.com/ru/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

bgc1

This link mentioned VPC peering requirement as well as need to assume role. AEF?

Oleg_gol

i think ADF

auxwwwOptions: AD

https://docs.aws.amazon.com/lambda/latest/dg/configuration-filesystem-cross-account.html#:~:text=For%20your%20Lambda%20function%20to,Elastic%20File%20System%20User%20Guide. A D E

jyrajan69

Why is there need for peering? We have one VPC, no mention of any addition, so is out, it's ADF

easytoo

AEF is best

DerekKey

A E F Should be E instead of D: A Lambda function in one account can mount a file system in a different account. For this scenario, you configure VPC peering between the function VPC and the file system VPC. https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html

ozlaoliu

Vote for AEF https://aws.amazon.com/premiumsupport/knowledge-center/access-efs-across-accounts/