DVA-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

DVA-C02 Exam - Question 100

A company uses AWS Lambda functions and an Amazon S3 trigger to process images into an S3 bucket. A development team set up multiple environments in a single AWS account.

After a recent production deployment, the development team observed that the development S3 buckets invoked the production environment Lambda functions. These invocations caused unwanted execution of development S3 files by using production Lambda functions. The development team must prevent these invocations. The team must follow security best practices.

Which solution will meet these requirements?

Show Answer
Correct Answer: B

To prevent unwanted invocations and follow security best practices, the development and production environments should be moved into separate AWS accounts. This strategy establishes strong isolation boundaries, enhancing security, billing, and access controls. Adding a resource policy to each Lambda function to allow only S3 buckets that are within the same account to invoke the function further ensures that S3 events in the development environment cannot trigger production Lambda functions and vice versa. This method effectively separates workloads and mitigates the risk of cross-environment triggers.

Discussion

17 comments
Sign in to comment
AgboolaKunOption: C
May 17, 2023

B is a wrong answer because I do not understand the need to move the environments to separate AWS accounts. The resource policy in the production environment can be used to control which S3 bucket invokes the function. In my understanding, the answer choice C fulfills the security best practices requirement in the question.

MrPie
Jul 6, 2023

It's a best practice: Best Practices: Separate workloads using accounts: Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access. https://wa.aws.amazon.com/wat.question.SEC_1.en.html

maurice2005
Mar 20, 2024

There is nowhere mentioned in the question that workload is the problem!

jipark
Aug 3, 2023

resource policy totally fulfill requirement

csG13Option: B
Jun 6, 2023

I choose B because it says that the team should follow the best security practices. AWS well-architected framework suggests separation. For reference see the link below: https://wa.aws.amazon.com/wat.question.SEC_1.en.html

Rameez1Option: B
Oct 17, 2023

Moving the Dev and Prod environments to separate Accounts will make them totally isolated with cross account Lambda invocations. Whereas in Option C though Prod Lambda won't trigger with Dev S3 bucket Event, Dev Lambda may still get mistakenly invoked by Prod S3 Bucket event and perform unwanted actions.

SD_CSOption: B
Feb 15, 2024

I initially thought C, but after going through the below, I dont think there is any scope for doubt. stablish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access https://docs.aws.amazon.com/en_us/wellarchitected/latest/framework/sec_securely_operate_multi_accounts.html

Certified101Option: B
Dec 17, 2023

B - following best practices

KarBiswaOption: D
Feb 25, 2024

I feel it is D as there is no doubt we need to separately create two accounts for DEV & PROD. After that there must lambda execution roles where we can the specific policies. Resource based policies more of a Cross Account access. https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html https://repost.aws/knowledge-center/lambda-execution-role-s3-bucket As the question demands the best practices scenario so option D fulfils that.

fossil123Option: C
Aug 30, 2023

C meets the contextual security requirements.

Millie024
Sep 18, 2023

B seems to be the correct one https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_securely_operate_multi_accounts.html Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access.

NagasoracleOption: A
Oct 17, 2023

Answer : A As it mentions to follow best security practice

NagasoracleOption: B
Oct 17, 2023

Sorry it is B As it mentions to follow security practice

Chicote
Oct 26, 2023

COMO CHINGAS

tqiu654Option: B
Dec 2, 2023

ChatGPT: B

[Removed]
Dec 10, 2023

ChatGPT is not always right. be careful

Mimi666Option: B
Dec 3, 2023

Keeping the security best-practices.

[Removed]
Dec 10, 2023

OMG this questions can be very wordy... be careful and read carefully - Answer is C

[Removed]
Dec 10, 2023

after reading this link --> https://wa.aws.amazon.com/wat.question.SEC_1.en.html changing answer to B

rrshah83Option: C
Jan 3, 2024

new accounts not necessary...

SerialiDrOption: C
Feb 28, 2024

This approach involves configuring a resource-based policy (also known as a Lambda function policy) that explicitly defines which resources (in this case, S3 buckets) can invoke the Lambda function. By specifying only the production S3 bucket in the resource policy of the production Lambda function, you ensure that only events from the designated production S3 bucket can trigger the production Lambda function. This prevents development or other non-production buckets from inadvertently invoking production Lambda functions, thus maintaining environment integrity and security best practices.

65703c1Option: B
May 22, 2024

B is the correct amswer.

Aws_aspr
Jul 18, 2024

Asked 18 July 24 WIthout security best practices word. So C is correct answer for this.