Topic 1 Question 281
A company wants to automate the creation of a security report. The company has an AWS Lambda function that gathers data from Amazon Inspector findings stored in AWS Security Hub in the us-west-2 Region. The Lambda function then needs to create a daily report by using an Amazon EventBridge schedule.
A security engineer discovers that the Lambda function is failing to create the report. The security engineer must implement a solution that corrects the issue and provides least privilege permissions.
Which solution will meet these requirements?
Create a resource-based policy that allows Security Hub access to the ARN of the Lambda function.
Attach the AWSSecurityHubReadOnlyAccess AWS managed policy to the Lambda function’s execution role.
Grant the Lambda function’s execution role read-only permissions to access Amazon Inspector and Security Hub.
Create a custom IAM policy that grants the Security Hub Get*, List*, Batch*, and Describe* permissions on the arn:aws:securityhub:us-west-2::product/aws/inspector/* resource. Attach the policy to the Lambda function’s execution role.
ユーザの投票
コメント(10)
- 正解だと思う選択肢: D
is it not D ? or is the Batch:* a problem ? but i think there are no batch write/delete operations that can be performed on that resource arn anyways
👍 3723993f2024/11/25 - 正解だと思う選択肢: B
the findings are already in security hub, so only read access to security hub is needed
👍 3jdx0002024/11/27 - 正解だと思う選択肢: C
C grants the Lambda function's execution role the necessary permissions to read from both Amazon Inspector and AWS Security Hub, but not granting excessive permissions. This approach adheres to the principle of least privilege by providing only the necessary permissions for the Lambda function to perform its task.
👍 2HappyG2024/11/30
シャッフルモード