SAP-C02 第 129 题
题目
An external audit of a company’s serverless application reveals IAM policies that grant too many permissions. These policies are attached to the company's AWS Lambda execution roles. Hundreds of the company's Lambda functions have broad access permissions such as full access to Amazon S3 buckets and Amazon DynamoDB tables. The company wants each function to have only the minimum permissions that the function needs to complete its task. A solutions architect must determine which permissions each Lambda function needs. What should the solutions architect do to meet this requirement with the LEAST amount of effort?
中文翻译:
对公司无服务器应用程序的外部审计揭示了授予过多权限的 IAM 策略。这些策略附加到公司的 AWS Lambda 执行角色。该公司的数百个 Lambda 函数拥有广泛的访问权限,例如对 Amazon S3 存储桶和 Amazon DynamoDB 表的完全访问权限。该公司希望每个功能仅拥有该功能完成其任务所需的最低权限。解决方案架构师必须确定每个 Lambda 函数需要哪些权限。解决方案架构师应该如何做才能以最少的努力满足此要求?
选项
A. Set up Amazon CodeGuru to profile the Lambda functions and search for AWS API calls. Create an inventory of the required API calls and resources for each Lambda function. Create new IAM access policies for each Lambda function. Review the new policies to ensure that they meet the company's business requirements.
中文翻译:
设置 Amazon CodeGuru 以分析 Lambda 函数并搜索 AWS API 调用。为每个 Lambda 函数创建所需 API 调用和资源的清单。为每个 Lambda 函数创建新的 IAM 访问策略。审查新政策以确保它们满足公司的业务要求。
B. Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure that they meet the company's business requirements.
中文翻译:
为 AWS 账户打开 AWS CloudTrail 日志记录。使用 AWS Identity and Access Management 访问分析器根据 CloudTrail 日志中记录的活动生成 IAM 访问策略。检查生成的策略以确保它们满足公司的业务要求。
C. Turn on AWS CloudTrail logging for the AWS account. Create a script to parse the CloudTrail log, search for AWS API calls by Lambda execution role, and create a summary report. Review the report. Create IAM access policies that provide more restrictive permissions for each Lambda function.
中文翻译:
为 AWS 账户打开 AWS CloudTrail 日志记录。创建脚本来解析 CloudTrail 日志、按 Lambda 执行角色搜索 AWS API 调用并创建摘要报告。查看报告。创建 IAM 访问策略,为每个 Lambda 函数提供更多限制性权限。
D. Turn on AWS CloudTrail logging for the AWS account. Export the CloudTrail logs to Amazon S3. Use Amazon EMR to process the CloudTrail logs in Amazon S3 and produce a report of API calls and resources used by each execution role. Create a new IAM access policy for each role. Export the generated roles to an S3 bucket. Review the generated policies to ensure that they meet the company’s business requirements.
中文翻译:
为 AWS 账户打开 AWS CloudTrail 日志记录。将 CloudTrail 日志导出到 Amazon S3。使用 Amazon EMR 处理 Amazon S3 中的 CloudTrail 日志并生成每个执行角色使用的 API 调用和资源的报告。为每个角色创建新的 IAM 访问策略。将生成的角色导出到 S3 存储桶。检查生成的策略以确保它们满足公司的业务要求。
答案
B
解析
正确答案:B 解析: 本题应选择 B。 正确选项: B. 为 AWS 账户打开 AWS CloudTrail 日志记录。使用 AWS Identity and Access Management 访问分析器根据 CloudTrail 日志中记录的活动生成 IAM 访问策略。检查生成的策略以确保它们满足公司的业务要求。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最...