Which solution will meet these requirements?
Deploy code to Amazon EC2 instances instead of using Lambda functions.
Configure SSL encryption on the Lambda functions to use AWS CloudHSM to store and encrypt the environment variables.
Create a certificate in AWS Certificate Manager (ACM). Configure the Lambda functions to use the certificate to encrypt the environment variables.
Create an AWS Key Management Service (AWS KMS) key. Enable encryption helpers on the Lambda functions to use the KMS key to store and encrypt the environment variables.
Explanations:
Deploying code to Amazon EC2 instances does not inherently solve the issue of environment variable visibility. Lambda functions provide a serverless model that abstracts infrastructure management, while EC2 instances require more operational oversight and do not address the plaintext environment variable issue.
SSL encryption is used for secure communication, but it does not encrypt environment variables stored within Lambda functions. AWS CloudHSM is focused on key management and cryptographic operations, not specifically for securing environment variables in Lambda.
AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates, which facilitate secure connections but do not directly provide a method for encrypting or securing environment variables within Lambda functions.
Creating an AWS Key Management Service (AWS KMS) key and using it to encrypt environment variables allows developers to store sensitive information securely. By enabling encryption helpers, the Lambda functions can automatically encrypt and decrypt environment variables, preventing plaintext visibility to developers while still allowing access to the necessary data during execution.
If I’m not mistaken, the answer is:
Create an AWS Key Management Service (AWS KMS) key. Enable encryption helpers on the Lambda functions to use the KMS key to store and encrypt the environment variables.