How should the SysOps administrator resolve the problem?
Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for EventBridge to invoke the function. Assign the role to the EventBridge rule.
Update the CloudFormation stack to include an AWS::IAM::Role resource with the required IAM permissions for the function. Assign the role as the function execution role.
Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure events.amazonaws.com has permissions to invoke the function.
Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure lambda.amazonaws.com has permissions to invoke the function.
Explanations:
This option suggests creating an IAM role for EventBridge to invoke the Lambda function. However, EventBridge does not need a separate role; it needs a permission policy that allows it to invoke the Lambda function.
This option proposes adding an IAM role for the Lambda function, which is already assumed to have permissions to write to CloudWatch Logs. The issue lies in granting permission to EventBridge to invoke the function, not in the execution role of the function itself.
This option correctly states that anAWS::Lambda::Permissionresource should be added to grant the necessary permission for EventBridge (events.amazonaws.com) to invoke the Lambda function. This permission is essential for EventBridge to trigger the function.
This option incorrectly referenceslambda.amazonaws.com, which is not the service that needs permission to invoke the function. Instead, it should beevents.amazonaws.comfor EventBridge, making this option incorrect.
I design that the answer is:
Update the CloudFormation stack with an AWS::Lambda::Permission resource to ensure events.amazonaws.com has permissions to invoke the function.