Which solution will resolve the issue?

A DevOps team has created a Custom Lambda rule in AWS Config.The rule monitors Amazon Elastic Container Repository (Amazon ECR) policy statements for ecr:* actions.When a noncompliant repository is detected, Amazon EventBridge uses Amazon Simple Notification Service (Amazon SNS) to route the notification to a security team.When the custom AWS Config rule is evaluated, the AWS Lambda function fails to run.

Which solution will resolve the issue?

Modify the Lambda function’s resource policy to grant AWS Config permission to invoke the function.

Modify the SNS topic policy to include configuration changes for EventBridge to publish to the SNS topic.

Modify the Lambda function’s execution role to include configuration changes for custom AWS Config rules.

Modify all the ECR repository policies to grant AWS Config access to the necessary ECR API actions.

Explanations:

The AWS Config service needs permission to invoke the Lambda function when a compliance check is performed. Modifying the Lambda function’s resource policy to explicitly grant permission to AWS Config allows it to call the function, resolving the invocation failure.

Modifying the SNS topic policy does not address the issue of the Lambda function failing to run. The SNS topic policy is related to notifications, not to the invocation permissions for the Lambda function by AWS Config.

The Lambda function’s execution role pertains to the permissions the Lambda function has when it runs, not the permissions needed for AWS Config to invoke it. This option does not resolve the issue of the invocation failure.

Modifying the ECR repository policies to grant AWS Config access to necessary ECR API actions does not address the problem of the Lambda function failing to run. This is unrelated to the permissions required for invoking the Lambda function.

Learn & move to cloud

Which solution will resolve the issue?

Explanations:

Leave a Reply Cancel reply