You are a software engineer and are creating a new web service in AWS. The service is about daily schedules where end users can configure and fetch. It contains an AngularJs front end that deals with data in a DynamoDB table called "UserScheduleData" with read and write permissions. You plan to use API gateway and Lambda to handle the backend service. During development, you also need to do integration testings frequently using curl for the API endpoints. You have created a role “ScheduleRoleLambda” for the Lambda itself. What below options should you perform to ensure that the Lambda contains the necessary permissions in the service role? (Select TWO).

Answer options:

A.AWSXrayWriteOnlyAccess policy is needed for “ScheduleRoleLambda” so that a segment record with details about the function invocation and execution can be saved for tracking and debug purpose.
B.“ScheduleRoleLambda” should have a policy for CloudWatch Logs including CreateLogGroup, CreateLogStream and PutLogEvents.
C.Invoke permissions are needed to the permissions policy associated with your Lambda function so that the API Gateway can call the lambda function.
D.“sns:publish” allow inline policy should be added into “ScheduleRoleLambda” for error handlings. For example, when exception appears, the message can be put into a dead letter queue via SNS publish.
E.“ScheduleRoleLambda” should contain an inline policy to allow DynamoDb access. The resource should be “*” and the action should contain "dynamodb:FetchItem", "dynamodb:PutItem" and "dynamodb:Query".
F.An IAM policy to allow DynamoDb access is needed for “ScheduleRoleLambda”. The resource should be the arn of “UserScheduleData” and the actions should contain "dynamodb:GetItem" and "dynamodb:PutItem".

Correct Answer – B, F
Firstly, the CloudWatch Logs permission for Lambda is required at a minimum. Refer to the below Lambda settings:
Every lambda needs this permission to create a log group, log stream, and put log events.
Besides, access for DynamoDB is required for the Lambda. "dynamodb:GetItem" and "dynamodb:PutItem" are necessary.
Lastly, it needs to add permission to the permissions policy associated with the Lambda function. Run the add-permission AWS Lambda command to grant the Amazon API Gateway service principal (apigateway.amazonaws.com) permissions to invoke the Lambda function.
https://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example.html 
Option A is incorrect, although AWS X-Ray can trace AWS Lambda functions, it is not mandatory.
Option B is CORRECT because the Lambda function needs access to Amazon CloudWatch Logs for log streaming. 
Option C is incorrect, although this permission is needed, it does not belong to the Lambda function`s service role.
Option D is incorrect, SNS may help with error handling; however, it is optional and only needed depending on specific requirements.
Option E is incorrect because, for the permissions of DynamoDB, the resource should be arn name of the DynamoDB table in accordance with the principle of least privilege. "dynamodb:FetchItem" is incorrect as well.
The below is an example:
Option F is CORRECT because it correctly describes the permissions for DynamoDB.References:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html
https://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example.html