Your team builds up a Lambda function in your AWS account that analyzes the data stored in DynamoDB and forwards the analysis result to an SQS queue. IAM users and roles from another AWS account (123456789012) also need to invoke the Lambda function.
You are responsible for configuring the permissions so that IAM entities in the account (123456789012) can invoke the Lambda function properly. Which of the following options would you choose?

Answer options:

A.Specify the account ID (123456789012) as the principal in the Lambda function policy. In the account (123456789012), configure IAM entities to have the permissions to invoke the Lambda function.
B.Grant permissions to the AWS account (123456789012) in the Lambda resource policy by specifying the account ID as the resource.
C.Sign in to the other account (123456789012) and configure a cross-account IAM role with permissions to invoke the Lambda function. IAM entities assume the role before executing the function.
D.Specify the account ID (123456789012) as the trusted entity in the Lambda function policy. Permit IAM entities in the account (123456789012) to use the Invoke Lambda API.

Answer: A
Option A is CORRECT because to allow other AWS accounts, users can grant IAM entities from another AWS account to access the Lambda function by adding a suitable Lambda function policy.
Option B is incorrect because the account ID should be put in the principal field rather than the resource field.
Option C is incorrect because the cross-account role should be created in the AWS account of the Lambda function.
Option D is incorrect because the account ID should be inserted in the principal field of the Lambda function policy.
$ aws lambda add-permission --function-name test-function:prod --statement-id xaccount --action lambda:InvokeFunction --principal 123456789012 --output text
Reference:
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountinvoke.