AWS Certified Developer – Associate (DVA-C02) — Question 364

A company has an application that uses an AWS Lambda function to process data. A developer must implement encryption in transit for all sensitive configuration data, such as API keys, that is stored in the application. The developer creates an AWS Key Management Service (AWS KMS) customer managed key.

What should the developer do next to meet the encryption requirement?

Answer options

• A. Create parameters of the String type in AWS Systems Manager Parameter Store. For each parameter, specify the KMS key ID to encrypt the parameter in transit. Reference the GetParameter API call in the Lambda environment variables.
• B. Create secrets in AWS Secrets Manager by using the customer managed KMS key. Create a new Lambda function and set up a Lambda layer. Configure the Lambda layer to retrieve the values from Secrets Manager.
• C. Create objects in Amazon S3 for each sensitive data field. Specify the customer managed KMS key to encrypt the object. Configure the Lambda function to retrieve the objects from Amazon S3 during data processing.
• D. Create encrypted Lambda environment variables. Specify the customer managed KMS key to encrypt the variables. Enable encryption helpers for encryption in transit. Grant permission to the Lambda function's execution role to access the KMS key.

Correct answer: D

Explanation

Enabling encryption helpers for AWS Lambda environment variables allows the developer to encrypt sensitive information on the client side using AWS KMS, ensuring the data remains encrypted in transit until it is decrypted by the function code. Option A is incorrect because String parameters in Systems Manager Parameter Store are not encrypted; SecureString must be used instead. Options B and C are incorrect because they introduce unnecessary operational overhead and do not directly leverage Lambda's native encryption helpers designed for securing environment variables in transit.