A company is developing a new serverless application that uses AWS Lambda functions. The company uses AWS CloudFormation to deploy the Lambda functions. The company’s developers are trying to debug a Lambda function that is deployed. The developers cannot debug the Lambda function because the Lambda function is not logging its output to Amazon CloudWatch Logs.
Which combination of steps should a security engineer take to resolve this issue? (Choose two.)
A. Check the role that is defined in the CloudFormation template and is passed to the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda amazonaws.com.
B. Check the execution role that is configured in the CloudFormation template for the Lambda function. Ensure that the execution role has the necessary permissions to write to CloudWatch Logs.
C. Check the Lambda function configuration in the CloudFormation template. Ensure that the Lambda function has an AWS X-Ray tracing configuration that is set to Active mode or PassThrough mode.
D. Check the resource policy that is configured in the CloudFormation template for the Lambda function. Ensure that the resource policy has the necessary permissions to write to CloudWatch Logs.
E. Check the role that the developers use to debug the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda.amazonaws.com.
AB
一家公司正在開發(fā)一個使用AWS Lambda函數(shù)的新型無服務(wù)器應(yīng)用程序。該公司使用AWS CloudFormation來部署Lambda函數(shù)。該公司的開發(fā)人員正在嘗試調(diào)試一個已部署的Lambda函數(shù),但無法進(jìn)行調(diào)試,因為該Lambda函數(shù)未將其輸出記錄到Amazon CloudWatch Logs中。安全工程師應(yīng)采取哪兩個步驟組合來解決此問題?
該公司使用AWS CloudFormation部署的Lambda函數(shù)無法將輸出記錄到CloudWatch Logs,導(dǎo)致開發(fā)人員無法調(diào)試,需要安全工程師找出解決該問題的兩個步驟組合。
要使Lambda函數(shù)能夠?qū)⑤敵鲇涗浀紺loudWatch Logs,需要確保Lambda函數(shù)有足夠的權(quán)限來執(zhí)行此操作。這涉及到檢查與Lambda函數(shù)相關(guān)的各種角色和策略,看它們是否具備寫入CloudWatch Logs的必要權(quán)限。具體來說,需要關(guān)注Lambda函數(shù)的執(zhí)行角色以及可能涉及的其他角色和策略,因為執(zhí)行角色決定了Lambda函數(shù)在運行時可以執(zhí)行的操作。
技巧:排除明顯錯誤選項,在沒有明顯錯誤的選項中選擇最合理的選項。
A. 正確。檢查在CloudFormation模板中定義并傳遞給Lambda函數(shù)的角色。確保該角色具有允許服務(wù)主體lambda.amazonaws.com執(zhí)行sts:AssumeRole操作的信任策略。該選項關(guān)注的是角色的信任策略,主要涉及角色能否被特定服務(wù)主體承擔(dān)。這是
B. 正確。檢查在CloudFormation模板中為Lambda函數(shù)配置的執(zhí)行角色。確保執(zhí)行角色具有寫入CloudWatch Logs的必要權(quán)限。該選項是解決該問題的關(guān)鍵步驟之一。因為Lambda函數(shù)的執(zhí)行角色決定了它在運行時可以執(zhí)行的操作,如果執(zhí)行角色沒有寫入CloudWatch Logs的權(quán)限,Lambda函數(shù)就無法將輸出記錄到其中。所以該選項正確。
C. 不正確。檢查CloudFormation模板中的Lambda函數(shù)配置。確保Lambda函數(shù)具有設(shè)置為Active模式或PassThrough模式的AWS X-Ray跟蹤配置。AWS X-Ray跟蹤配置主要用于應(yīng)用程序的性能分析和跟蹤,與Lambda函數(shù)能否將輸出記錄到CloudWatch Logs無關(guān)。
D. 不正確。檢查在CloudFormation模板中為Lambda函數(shù)配置的資源策略。確保資源策略具有寫入CloudWatch Logs的必要權(quán)限。資源策略主要用于控制對Lambda函數(shù)資源的訪問,而不是決定Lambda函數(shù)自身能否寫入CloudWatch Logs,寫入權(quán)限主要由執(zhí)行角色決定。
E. 不正確。檢查開發(fā)人員用于調(diào)試Lambda函數(shù)的角色。確保該角色具有允許服務(wù)主體lambda.amazonaws.com執(zhí)行sts:AssumeRole操作的信任策略。該選項關(guān)注的是開發(fā)人員調(diào)試用的角色的信任策略,與Lambda函數(shù)能否將輸出記錄到CloudWatch Logs沒有直接關(guān)系。