AWS Certified Solutions Architect – Associate (SAA-C03) — Question 552

A company is using AWS Key Management Service (AWS KMS) keys to encrypt AWS Lambda environment variables. A solutions architect needs to ensure that the required permissions are in place to decrypt and use the environment variables.

Which steps must the solutions architect take to implement the correct permissions? (Choose two.)

Answer options

• A. Add AWS KMS permissions in the Lambda resource policy.
• B. Add AWS KMS permissions in the Lambda execution role.
• C. Add AWS KMS permissions in the Lambda function policy.
• D. Allow the Lambda execution role in the AWS KMS key policy.
• E. Allow the Lambda resource policy in the AWS KMS key policy.

Correct answer: B, D

Explanation

To successfully decrypt environment variables, the Lambda execution role must be granted the appropriate AWS KMS permissions, such as kms:Decrypt, to access the KMS key. Additionally, the AWS KMS key policy must explicitly trust and allow the Lambda execution role to perform these decryption operations. Lambda resource policies govern who can invoke or manage the function, not the permissions the function itself uses to access other AWS services like KMS.