AWS Certified Developer – Associate — Question 152

A developer is building a highly secure healthcare application using serverless components. This application requires writing temporary data to /tmp storage on an AWS Lambda function.

How should the developer encrypt this data?

Answer options

• A. Enable Amazon EBS volume encryption with an AWS KMS key in the Lambda function configuration so that all storage attached to the Lambda function is encrypted.
• B. Set up the Lambda function with a role and key policy to access an AWS KMS key. Use the key to generate a data key used to encrypt all data prior to writing to /tmp storage.
• C. Use OpenSSL to generate a symmetric encryption key on Lambda startup. Use this key to encrypt the data prior to writing to /tmp.
• D. Use an on-premises hardware security module (HSM) to generate keys, where the Lambda function requests a data key from the HSM and uses that to encrypt data on all requests to the function.

Correct answer: B

Explanation

Option B is correct because it involves configuring the Lambda function to use an AWS KMS key for encryption, ensuring secure handling of sensitive data before it is written to /tmp. Option A is incorrect as EBS volume encryption does not apply to the ephemeral /tmp storage used by Lambda functions. Option C lacks a secure key management process, making it less secure. Option D is impractical for a serverless architecture, as it relies on an on-premises HSM, which is not suitable for a cloud-native solution.