Clients can upload photos to an S3 bucket through a web application. When a photo is uploaded successfully, a Lambda function needs to be invoked to get the file and perform some analysis. You have already configured an event notification in the S3 bucket for the ObjectCreate events. How would you configure the permissions to allow Amazon S3 to invoke the Lambda function?

Answer options:

A.Add permissions to the Lambda execution role that allows the function to perform the "s3:GetObject" action.
B.Add permissions to the S3 bucket policy that allows the S3 bucket to invoke the Lambda function.
C.Add permissions to the S3 access control list (ACL) to permit the S3 bucket to invoke the Lambda function when an object is uploaded in the S3 bucket.
D.Add permissions to the Lambda function access policy that allows the Amazon S3 bucket principal to perform the "lambda:InvokeFunction" action.

Correct Answer – D
Lambda can be used to process event notifications from Amazon Simple Storage Service. In this scenario, Amazon S3 should send an event to the Lambda function for processing when objects are created. References can be found in https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html and
https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html.
Option A is incorrect: Because permissions in the Lambda execution role determine the permitted actions of the Lambda function. However, this question asks for the permission to allow S3 to invoke the Lambda function.
Option B is incorrect: Because S3 bucket policy is a resource policy that configures who is allowed to perform actions on the S3 bucket. It does not control whether or not the S3 bucket can invoke a Lambda function.
Option C is incorrect: Similar to Option
B. S3 ACL determines who and how the S3 bucket is accessed.
Option D is CORRECT: Because the Lambda function policy is used to permit a principal to invoke the function. An example is as below:
{
"Sid": "event_permissions_for_TestFunction",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-southeast-1:xxxxxxxxxxxx:function:TestFunction",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "xxxxxxxxxxxx"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::s3-test"
}
}
}