Question #1810
A company is using AWS Lambda functions and needs to ensure that environment variables are encrypted at rest and cannot be viewed in plaintext by developers during deployment or execution. Which solution meets these requirements?
Migrate the Lambda functions to AWS Fargate containers and store environment variables in AWS Secrets Manager.
Enable SSL/TLS encryption for the Lambda functions using AWS CloudHSM to encrypt the environment variables.
Use AWS Certificate Manager (ACM) to generate a certificate and configure the Lambda functions to encrypt environment variables with the certificate.
Create an AWS Key Management Service (KMS) key and enable encryption helpers for the Lambda functions to encrypt environment variables using the KMS key.
Explanation
Answer D is correct because AWS Lambda natively supports encrypting environment variables using AWS KMS. By creating a KMS key and enabling encryption helpers, Lambda automatically encrypts the environment variables at rest. Developers cannot view plaintext values without explicit decryption permissions on the KMS key.
Other options are incorrect because:
- A: Migrating to Fargate is unnecessary; Lambda already supports encryption. Secrets Manager is for secrets, not environment variables.
- B: SSL/TLS (CloudHSM) encrypts data in transit, not at rest.
- C: ACM manages TLS certificates, which are unrelated to encrypting environment variables.
Key Points:
1. Lambda environment variables can be encrypted using KMS.
2. Encryption helpers automate encryption/decryption with KMS keys.
3. KMS ensures only authorized users/roles can decrypt values.
Answer
The correct answer is: D