AWS Certified Solutions Architect – Associate (SAA-C03) — Question 746

A company has AWS Lambda functions that use environment variables. The company does not want its developers to see environment variables in plaintext.

Which solution will meet these requirements?

Answer options

• A. Deploy code to Amazon EC2 instances instead of using Lambda functions.
• B. Configure SSL encryption on the Lambda functions to use AWS CloudHSM to store and encrypt the environment variables.
• C. Create a certificate in AWS Certificate Manager (ACM). Configure the Lambda functions to use the certificate to encrypt the environment variables.
• D. Create an AWS Key Management Service (AWS KMS) key. Enable encryption helpers on the Lambda functions to use the KMS key to store and encrypt the environment variables.

Correct answer: D

Explanation

AWS KMS encryption helpers allow developers to encrypt sensitive environment variables on the client side before they are sent to AWS Lambda, preventing them from being viewed in plaintext in the console. Migrating to Amazon EC2 is an unnecessary architectural change, while AWS CloudHSM and AWS Certificate Manager do not provide native integration for encrypting Lambda environment variables in this context.