Question #639
A developer is building a highly secure financial application using AWS Lambda. The application needs to store sensitive session data temporarily in the /tmp directory. How should the developer ensure this data is encrypted?
Configure the Lambda function to use an encrypted Amazon EFS file system mounted to /tmp, using an AWS KMS key for encryption.
Assign the Lambda function an IAM role with permissions to access AWS KMS. Use KMS to generate a unique data key for each session, encrypt the data with this key before writing to /tmp.
Use a third-party encryption library within the Lambda code to generate and manage encryption keys, encrypting data before storage.
Integrate an external key management service hosted on EC2 instances to provide encryption keys for each Lambda invocation.
Explanation
Answer B is correct because it leverages AWS KMS to encrypt sensitive data at the application level before it is written to the Lambda /tmp directory. By generating a unique data key for each session, the data remains secure even if the underlying storage is not encrypted. AWS KMS is a managed service designed for secure key management, making it a best practice for encryption.
Option A is incorrect because mounting an encrypted EFS file system adds unnecessary complexity (e.g., VPC configuration) and costs, and Lambda's /tmp is ephemeral by design. Option C is risky as third-party libraries may introduce vulnerabilities and deviate from AWS-recommended practices. Option D is suboptimal because hosting an external key management service on EC2 increases operational overhead and security risks compared to using AWS KMS.
Answer
The correct answer is: B