What should the developer do to meet these requirements?

By:
In: DVA-C02
Tagged:
With: 1 Comment
A developer uses Amazon S3 Event Notifications to invoke AWS Lambda functions.The Lambda functions process images after the images are uploaded to S3 buckets.The developer has set up a development S3 bucket, a production S3 bucket, a development Lambda function, and a production Lambda function in the same AWS account.The developer notices that uploads to the development S3 bucket wrongly invoke the production Lambda function.The developer must prevent development data from affecting the production Lambda function.

What should the developer do to meet these requirements?

Update the execution role for the production Lambda function. Add a policy that allows the execution role to read from only the production S3 bucket.

Update the S3 bucket policy for the production S3 bucket to invoke the production Lambda function. Update the S3 bucket policy for the development S3 bucket to invoke the development Lambda function.

Separate the development environment and the production environment into their own AWS accounts. Update the execution role for each Lambda function. Add a policy that allows the execution role to read from only the S3 bucket that is in the same account.

Separate the development environment and the production environment into their own AWS accounts. Add a resource policy to the Lambda functions to allow only S3 bucket events in the same account to invoke the functions.

Explanations:

Updating the Lambda function’s execution role to allow reading only from the production S3 bucket would restrict the Lambda’s ability to access the development S3 bucket. However, this doesn’t prevent the S3 event from triggering the wrong Lambda function (i.e., from development).

Updating the S3 bucket policies alone won’t resolve the issue of triggering the wrong Lambda function. S3 event notifications are not controlled by S3 bucket policies, but rather by Lambda event configurations, and the problem lies with misconfiguration of the triggers, not the bucket policies.

Separating the environments into different accounts might help with isolation, but it introduces unnecessary complexity. Additionally, AWS Lambda’s execution role policy doesn’t need to be modified based on account separation as long as the S3 bucket event notification is correctly scoped to trigger the appropriate function.

Separating environments into different accounts and using resource-based Lambda policies to restrict invocations to only S3 events within the same account effectively ensures that the correct Lambda function is invoked based on the source of the event (i.e., the S3 bucket). This approach fully resolves the issue of cross-environment interference.

2025-10-08

1 Comment

  1. Mark
    Author

    I categorize that the answer is:
    Separate the development environment and the production environment into their own AWS accounts. Add a resource policy to the Lambda functions to allow only S3 bucket events in the same account to invoke the functions.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − one =