DOP-C01 Exam QuestionsBrowse all questions from this exam
Go to Exam

DOP-C01 Exam - Question 159

A company is using an organization in AWS Organizations to manage multiple AWS accounts. The company's development team wants to use AWS Lambda functions to meet resiliency requirements and is rewriting all applications to work with Lambda functions that are deployed in a VPC. The development team is using Amazon Elastic File System (Amazon EFS) as shared storage in Account A in the organization.

The company wants to continue to use Amazon EFS with Lambda. Company policy requires all serverless projects to be deployed in Account B.

A DevOps engineer needs to reconfigure an existing EFS file system to allow Lambda functions to access the data through an existing EFS access point.

Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

Show Answer
Correct Answer: ADF

To enable Lambda functions in Account B to access the EFS file system in Account A, several steps need to be taken. Firstly, the EFS file system policy must be updated to grant Account B the necessary access permissions, including mounting and writing to the file system. Secondly, the Lambda execution roles must be updated to include permissions to access both the VPC and the EFS file system. Finally, the Lambda functions in Account B should be configured to assume an existing IAM role in Account A to allow for seamless access and operation across accounts.

Discussion

14 comments
Sign in to comment
Bulti
Jan 28, 2023

AEF are the right answers. 1. Need to update the file system policy on EFS to allow mounting the file system into Account B. ## File System Policy $ cat file-system-policy.json { "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Principal": { "AWS": "arn:aws:iam::<aws-account-id-A>:root" # Replace with AWS account ID of EKS cluster } } ] } 2. Need VPC peering between Account A and Account B as the pre-requisite 3. Need to assume cross-account IAM role to describe the mounts so that a specific mount can be chosen.

vn_thanhtung
May 7, 2024

https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html why you need assume role ???

Oleg_gol
Jan 15, 2023

i think ADF

Dimidrol
Jan 17, 2023

A D F for me

Dimidrol
Jan 17, 2023

https://aws.amazon.com/ru/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

bgc1
Mar 5, 2023

This link mentioned VPC peering requirement as well as need to assume role. AEF?

saeidp
Jan 20, 2023

A D F for me

saeidp
Jan 20, 2023

ADE VPC peering is needed

Bulti
Jan 28, 2023

https://aws.amazon.com/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

PiccasoOptions: BF
Feb 13, 2023

E is lacking in the "Chosen Answer" E and F are obviously correct. I prefer B to A because of the least privilege principle.

bgc1
Mar 5, 2023

AEF for me based on explanation here - https://aws.amazon.com/ru/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

AndrewD1234
Jul 28, 2023

At the time of writing this comment, there is no option E. Only A,B,C,D,F - E is missing. Sweet.

Dgix
Oct 23, 2023

ADE. Peering is needed. F is unnecessary.

ozlaoliu
Jan 31, 2023

Vote for AEF https://aws.amazon.com/premiumsupport/knowledge-center/access-efs-across-accounts/

DerekKey
Feb 3, 2023

A E F Should be E instead of D: A Lambda function in one account can mount a file system in a different account. For this scenario, you configure VPC peering between the function VPC and the file system VPC. https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html

easytoo
Apr 25, 2023

AEF is best

jyrajan69
Mar 29, 2024

Why is there need for peering? We have one VPC, no mention of any addition, so is out, it's ADF

auxwwwOptions: AD
Jul 10, 2024

https://docs.aws.amazon.com/lambda/latest/dg/configuration-filesystem-cross-account.html#:~:text=For%20your%20Lambda%20function%20to,Elastic%20File%20System%20User%20Guide. A D E