AWS Certified Developer – Associate — Question 297

A developer has deployed a serverless application to AWS Lambda. The developer needs to encrypt the Lambda function's environment variables by using an AWS Key Management Service (AWS KMS) customer managed key. When the developer attempts to configure the KMS key for the environment variables, an error occurs. The error message indicates that access to the KMS key was denied.

What should the developer do to resolve this error?

Answer options

• A. Set an IAM policy that allows the developer to have appropriate access to the KMS key.
• B. Set an IAM policy that allows the Lambda function to have appropriate access to the KMS key.
• C. Apply the AWSLambdaBasicExecutionRole managed policy to the Lambda function.
• D. Create a trust policy for the Lambda function. In the trust policy, specify kms.amazonaws.com as a service principal.

Correct answer: A

Explanation

To configure a customer managed key for encrypting Lambda environment variables, the user or developer performing the configuration action must have the necessary permissions (such as kms:CreateGrant) on the KMS key. The error occurs during the setup phase, meaning it is the developer's IAM identity that lacks access, not the Lambda function's execution role. Modifying the Lambda function's execution role, managed policies, or trust policy will not resolve this permission issue during the configuration process.