AWS Certified Developer – Associate (DVA-C02) — Question 108

A developer is building a highly secure healthcare application using serverless components. This application requires writing temporary data to /tmp storage on an AWS Lambda function.

How should the developer encrypt this data?

Answer options

• A. Enable Amazon EBS volume encryption with an AWS KMS key in the Lambda function configuration so that all storage attached to the Lambda function is encrypted.
• B. Set up the Lambda function with a role and key policy to access an AWS KMS key. Use the key to generate a data key used to encrypt all data prior to writing to /tmp storage.
• C. Use OpenSSL to generate a symmetric encryption key on Lambda startup. Use this key to encrypt the data prior to writing to /tmp.
• D. Use an on-premises hardware security module (HSM) to generate keys, where the Lambda function requests a data key from the HSM and uses that to encrypt data on all requests to the function.

Correct answer: B

Explanation

The correct answer is B because it allows the developer to securely manage encryption keys using AWS KMS, which is designed for this purpose. Option A is incorrect as EBS volume encryption does not apply to Lambda's /tmp storage. Option C lacks a secure key management approach, as generating a key at startup does not provide the same level of security. Option D introduces unnecessary complexity by relying on on-premises HSMs, which is not needed in a serverless architecture.