What should the developer do next to meet the encryption requirement?

By:
In: DVA-C02
Tagged:
With: 1 Comment
A company has an application that uses an AWS Lambda function to process data.A developer must implement encryption in transit for all sensitive configuration data, such as API keys, that is stored in the application.The developer creates an AWS Key Management Service (AWS KMS) customer managed key.

What should the developer do next to meet the encryption requirement?

Create parameters of the String type in AWS Systems Manager Parameter Store. For each parameter, specify the KMS key ID to encrypt the parameter in transit. Reference the GetParameter API call in the Lambda environment variables.

Create secrets in AWS Secrets Manager by using the customer managed KMS key. Create a new Lambda function and set up a Lambda layer. Configure the Lambda layer to retrieve the values from Secrets Manager.

Create objects in Amazon S3 for each sensitive data field. Specify the customer managed KMS key to encrypt the object. Configure the Lambda function to retrieve the objects from Amazon S3 during data processing.

Create encrypted Lambda environment variables. Specify the customer managed KMS key to encrypt the variables. Enable encryption helpers for encryption in transit. Grant permission to the Lambda function’s execution role to access the KMS key.

Explanations:

TheStringtype in AWS Systems Manager Parameter Store can store plaintext values, not encrypted data in transit. Specifying a KMS key ID encrypts data at rest, not in transit, and GetParameter is not automatically encrypted.

Using AWS Secrets Manager can secure secrets at rest, but adding a Lambda layer for retrieval is unnecessary and does not guarantee encryption in transit. Lambda can retrieve secrets directly without a separate layer.

Storing sensitive data in Amazon S3 and using KMS for encryption only encrypts the data at rest. This method does not provide encryption in transit for sensitive data passed to Lambda functions.

Creating encrypted Lambda environment variables with a KMS key ensures encryption at rest and in transit. The Lambda environment is encrypted, and Lambda’s built-in encryption helpers ensure in-transit security for configuration data.

2025-10-16

1 Comment

  1. Stephanie
    Author

    If I’m correct, the answer is:
    Create encrypted Lambda environment variables. Specify the customer managed KMS key to encrypt the variables. Enable encryption helpers for encryption in transit. Grant permission to the Lambda function’s execution role to access the KMS key.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × two =