Exam DVA-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 100

A company uses AWS Lambda functions and an Amazon S3 trigger to process images into an S3 bucket. A development team set up multiple environments in a single AWS account.

After a recent production deployment, the development team observed that the development S3 buckets invoked the production environment Lambda functions. These invocations caused unwanted execution of development S3 files by using production Lambda functions. The development team must prevent these invocations. The team must follow security best practices.

Which solution will meet these requirements?

    Correct Answer: B

    To prevent unwanted invocations and follow security best practices, the development and production environments should be moved into separate AWS accounts. This strategy establishes strong isolation boundaries, enhancing security, billing, and access controls. Adding a resource policy to each Lambda function to allow only S3 buckets that are within the same account to invoke the function further ensures that S3 events in the development environment cannot trigger production Lambda functions and vice versa. This method effectively separates workloads and mitigates the risk of cross-environment triggers.

Discussion
AgboolaKunOption: C

B is a wrong answer because I do not understand the need to move the environments to separate AWS accounts. The resource policy in the production environment can be used to control which S3 bucket invokes the function. In my understanding, the answer choice C fulfills the security best practices requirement in the question.

MrPie

It's a best practice: Best Practices: Separate workloads using accounts: Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access. https://wa.aws.amazon.com/wat.question.SEC_1.en.html

maurice2005

There is nowhere mentioned in the question that workload is the problem!

jipark

resource policy totally fulfill requirement

csG13Option: B

I choose B because it says that the team should follow the best security practices. AWS well-architected framework suggests separation. For reference see the link below: https://wa.aws.amazon.com/wat.question.SEC_1.en.html

Rameez1Option: B

Moving the Dev and Prod environments to separate Accounts will make them totally isolated with cross account Lambda invocations. Whereas in Option C though Prod Lambda won't trigger with Dev S3 bucket Event, Dev Lambda may still get mistakenly invoked by Prod S3 Bucket event and perform unwanted actions.

SD_CSOption: B

I initially thought C, but after going through the below, I dont think there is any scope for doubt. stablish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access https://docs.aws.amazon.com/en_us/wellarchitected/latest/framework/sec_securely_operate_multi_accounts.html

KarBiswaOption: D

I feel it is D as there is no doubt we need to separately create two accounts for DEV & PROD. After that there must lambda execution roles where we can the specific policies. Resource based policies more of a Cross Account access. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html https://repost.aws/knowledge-center/lambda-execution-role-s3-bucket As the question demands the best practices scenario so option D fulfils that.

Certified101Option: B

B - following best practices

Aws_aspr

Asked 18 July 24 WIthout security best practices word. So C is correct answer for this.

65703c1Option: B

B is the correct amswer.

SerialiDrOption: C

This approach involves configuring a resource-based policy (also known as a Lambda function policy) that explicitly defines which resources (in this case, S3 buckets) can invoke the Lambda function. By specifying only the production S3 bucket in the resource policy of the production Lambda function, you ensure that only events from the designated production S3 bucket can trigger the production Lambda function. This prevents development or other non-production buckets from inadvertently invoking production Lambda functions, thus maintaining environment integrity and security best practices.

rrshah83Option: C

new accounts not necessary...

[Removed]

OMG this questions can be very wordy... be careful and read carefully - Answer is C

[Removed]

after reading this link --> https://wa.aws.amazon.com/wat.question.SEC_1.en.html changing answer to B

Mimi666Option: B

Keeping the security best-practices.

tqiu654Option: B

ChatGPT: B

[Removed]

ChatGPT is not always right. be careful

NagasoracleOption: B

Sorry it is B As it mentions to follow security practice

Chicote

COMO CHINGAS

NagasoracleOption: A

Answer : A As it mentions to follow best security practice

Millie024

B seems to be the correct one https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_securely_operate_multi_accounts.html Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access.

fossil123Option: C

C meets the contextual security requirements.