Which of the following are required for this configuration to work?
(Choose two.)
The Developer must configure Lambda access to the VPC using the –vpc-config parameter.
The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy.
The KMS key policy must allow permissions for the Developer to use the KMS key.
The AWS IAM policy assigned to the Developer must have the kms:GenerateDataKey permission added.
The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.
Explanations:
Configuring Lambda access to a VPC is not required for securing environment variables with KMS. This option is related to networking and VPC configurations, not the use of KMS for securing Lambda environment variables.
The Lambda function execution role needskms:Decryptpermission to decrypt the encrypted environment variables using the specified KMS key.
The KMS key policy must allow the Developer to use the KMS key for encryption/decryption operations. Without the correct permissions in the KMS key policy, the Developer cannot use the CMK to secure Lambda environment variables.
Thekms:GenerateDataKeypermission is used for generating data keys, which is not required for simply using an existing KMS CMK to encrypt/decrypt Lambda environment variables.
The Lambda execution role doesn’t needkms:Encryptpermission to read or use environment variables. Thekms:Decryptpermission is needed to access and decrypt environment variables, notkms:Encrypt.
From what I’ve heard, the answer is:
The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy.