Which steps must the solutions architect take to implement the correct permissions?
(Choose two.)
Add AWS KMS permissions in the Lambda resource policy.
Add AWS KMS permissions in the Lambda execution role.
Add AWS KMS permissions in the Lambda function policy.
Allow the Lambda execution role in the AWS KMS key policy.
Allow the Lambda resource policy in the AWS KMS key policy.
Explanations:
The Lambda resource policy is used to control access to the Lambda function itself, not to manage permissions for decrypting KMS-encrypted environment variables. Therefore, it is not appropriate for adding KMS permissions.
The Lambda execution role must have permissions to use AWS KMS keys to decrypt the environment variables. This role is used by the Lambda function at runtime, so it requires the necessary KMS permissions.
The Lambda function policy is primarily used to manage access to the function for invocation by other AWS services or users. It does not provide a mechanism to control permissions for KMS key usage for environment variables.
The AWS KMS key policy must explicitly allow the Lambda execution role permissions to decrypt data. This ensures that the Lambda function has the necessary permissions to use the KMS key for decrypting environment variables.
The Lambda resource policy is not applicable to AWS KMS key policies. KMS key policies define which principals can use the KMS key, and they do not involve Lambda resource policies.
In my opinion, the answer is:
Add AWS KMS permissions in the Lambda execution role.
If memory serves me right, the answer is:
Add AWS KMS permissions in the Lambda execution role.