AWS Certified Security – Specialty — Question 107

A Developer is creating an AWS Lambda function that requires environment variables to store connection information and logging settings. The Developer is required to use an AWS KMS Customer Master Key (CMK) supplied by the Information Security department in order to adhere to company standards for securing
Lambda environment variables.
Which of the following are required for this configuration to work? (Choose two.)

Answer options

• A. The Developer must configure Lambda access to the VPC using the --vpc-config parameter.
• B. The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy.
• C. The KMS key policy must allow permissions for the Developer to use the KMS key.
• D. The AWS IAM policy assigned to the Developer must have the kms:GenerateDataKey permission added.
• E. The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.

Correct answer: B, C

Explanation

The correct answers are B and C because the Lambda function execution role must have the kms:Decrypt permission to access the encrypted environment variables, and the KMS key policy must explicitly allow the Developer to use the KMS key. Options A, D, and E are not required for this specific configuration, as they pertain to different functions or permissions not needed for using KMS with Lambda environment variables.