A company has AWS Lambda functions that use environment variables. The company does not want its developers to see environment variables in plaintext.
Which solution will meet these requirements?
A.
Deploy code to Amazon EC2 instances instead of using Lambda functions.
B.
Configure SSL encryption on the Lambda functions to use AWS CloudHSM to store and encrypt the environment variables.
C.
Create a certificate in AWS Certificate Manager (ACM). Configure the Lambda functions to use the certificate to encrypt the environment variables.
D.
Create an AWS Key Management Service (AWS KMS) key. Enable encryption helpers on the Lambda functions to use the KMS key to store and encrypt the environment variables.
AWS Lambda supports encrypting environment variables at rest using AWS KMS. You can use encryption helpers (or Lambda’s built-in support) to encrypt sensitive environment variable values using a KMS key. These encrypted variables are not visible in plaintext to developers, either in the console or when running the code.
AWS Documentation Extract:
"AWS Lambda automatically encrypts environment variables at rest. For additional security, you can use AWS KMS keys and encryption helpers to encrypt environment variables, ensuring they are never exposed in plaintext."
A: Does not address the issue (and adds more management overhead).
B, C: There is no native support for environment variable encryption via CloudHSM or ACM.
[Reference: AWS Certified Solutions Architect – Official Study Guide, Lambda Security Best Practices., , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit