Question

Your team is planning on creating a Lambda function which will interact with a DynamoDB stream. Which of the following would need to be in place to ensure the Lambda function can interact with the DynamoDB table?

A. Access Keys for an IAM user embedded in the function.

B. IAM Role with required permissions to access DynamoD.

C. The password for an IAM user in the environment variable for the Lambda function.

D. A Security group rule to allow egress traffic into DynamoD.

Answer 1

Answer - B.

The AWS Documentation mentions the following.

Regardless of what invokes a Lambda function, AWS Lambda always executes a Lambda function on your behalf.

If your Lambda function needs to access any AWS resources, you need to grant the relevant permissions to access those resources.

You also need to grant AWS Lambda permissions to poll your DynamoDB stream.

You grant all of these permissions to an IAM role (execution role) that AWS Lambda can assume to poll the stream and execute the Lambda function on your behalf.

You create this role first and then enable it at the time you create the Lambda function.

For more information on using Lambda with DynamoDB, please refer to the below URL-

https://docs.aws.amazon.com/lambda/latest/dg/with-ddb.html

Option B is the correct answer: IAM Role with required permissions to access DynamoDB.

Explanation: When you create a Lambda function that interacts with a DynamoDB stream, you need to ensure that the Lambda function has the appropriate permissions to access the DynamoDB table.

To grant these permissions, you can create an IAM role with the necessary permissions and then assign that role to the Lambda function. This approach provides better security because the Lambda function does not need to embed any access keys or passwords.

The IAM role should have permissions to access the DynamoDB table, as well as any other AWS resources that the Lambda function needs to access, such as S3 buckets or other AWS services.

Access Keys for an IAM user embedded in the function (Option A) is not a good approach for several reasons:

• It is less secure because access keys can be easily compromised if they are embedded in the function code.
• It is not scalable because if you have multiple Lambda functions, you would need to embed access keys for each of them.
• It is difficult to manage because you need to rotate access keys periodically to maintain security.

The password for an IAM user in the environment variable for the Lambda function (Option C) is also not a good approach for similar reasons. Passwords can be easily compromised and it would be difficult to manage and rotate them for multiple Lambda functions.

Security group rules (Option D) are used to control inbound and outbound traffic to and from EC2 instances, RDS instances, and other AWS resources. They are not used to control access to DynamoDB tables from Lambda functions. Therefore, this option is not correct.