How should the developer encrypt this data?
Enable Amazon EBS volume encryption with an AWS KMS key in the Lambda function configuration so that all storage attached to the Lambda function is encrypted.
Set up the Lambda function with a role and key policy to access an AWS KMS key. Use the key to generate a data key used to encrypt all data prior to writing to /tmp storage.
Use OpenSSL to generate a symmetric encryption key on Lambda startup. Use this key to encrypt the data prior to writing to /tmp.
Use an on-premises hardware security module (HSM) to generate keys, where the Lambda function requests a data key from the HSM and uses that to encrypt data on all requests to the function.
Explanations:
Amazon EBS volume encryption is not applicable to AWS Lambda as Lambda does not use EBS volumes for storage. Lambda’s temporary storage is ephemeral and not tied to EBS encryption.
This option correctly utilizes AWS KMS to manage encryption keys. By generating a data key from KMS and using it to encrypt data before writing it to /tmp, the application ensures that the data is securely encrypted at rest.
While generating a symmetric encryption key on Lambda startup is possible, it lacks the security benefits of using AWS KMS for key management, such as automatic key rotation and audit logging, which are critical in a highly secure application.
Using an on-premises HSM adds unnecessary complexity and potential latency. Lambda functions are intended to be serverless; leveraging AWS KMS is more aligned with AWS’s design philosophy for key management in cloud applications.
I surmise that the answer is:
Set up the Lambda function with a role and key policy to access an AWS KMS key. Use the key to generate a data key used to encrypt all data prior to writing to /tmp storage.