Logo
AWS Certified Developer – Associate / Question #916 of 557

Question #916

A company uses an AWS Lambda function to handle user authentication. A developer needs to ensure encryption in transit for all sensitive configuration data, including database credentials, stored within the application. The developer has already created an AWS KMS customer managed key. What should the developer do next to fulfill the encryption requirement?

A

Store the credentials as SecureString parameters in AWS Systems Manager Parameter Store using the KMS key. Reference the GetParameter API in the Lambda environment variables to access the parameters.
B

Create secrets in AWS Secrets Manager encrypted with the KMS key. Modify the Lambda function's code to call Secrets Manager directly during execution to retrieve the credentials.
C

Upload encrypted JSON files containing the credentials to Amazon S3 using the KMS key. Configure the Lambda function to download and decrypt the files from S3 at runtime.
D

Use encrypted Lambda environment variables with the KMS key. Enable encryption helpers for in-transit protection. Grant the Lambda execution role permissions to decrypt using the KMS key.

Explanation

Option D is correct because using encrypted Lambda environment variables with a KMS customer managed key ensures that sensitive data (like database credentials) is encrypted both in transit and at rest. When deploying the Lambda function, environment variables are transmitted over HTTPS, providing encryption in transit. The KMS key encrypts the data at rest, and the Lambda execution role's permissions allow decryption at runtime. Encryption helpers automate the process, ensuring security without additional code.

Other options are incorrect because:
- A: SecureString parameters in Parameter Store are encrypted at rest but require external API calls, storing data outside the application.
- B: Secrets Manager retrieves secrets externally via TLS, but credentials aren't stored within the application.
- C: S3 requires runtime file downloads, adding complexity and external storage.

Key Points:
1. Lambda environment variables encrypted with KMS protect data at rest and in transit during deployment.
2. Encryption helpers simplify securing environment variables.
3. Granting decrypt permissions to the Lambda execution role is essential for accessing encrypted variables.

Answer

The correct answer is: D