Q20 — AWS DVA-C02 Ch.3
Question 20 of 100 | ← Chapter 3
A developer is building a secure healthcare application using serverless components. The application must write temporary data to the /tmp storage of an AWS Lambda function.
- A. Enable Amazon EBS volume encryption using an AWS KMS key in the Lambda function configuration so that all storage attached to the Lambda function is encrypted.
- B. Configure the Lambda function with an IAM role and key policy to access an AWS KMS key. Use the KMS key to generate a data key for encrypting all data before writing to /tmp storage. ✓
- C. Use OpenSSL to generate a symmetric encryption key at Lambda startup and use this key to encrypt data before writing to /tmp.
- D. Use a local hardware security module (HSM) to generate keys, where the Lambda function requests a data key from the HSM and uses it to encrypt all data processed by the function.
Correct Answer: B. Configure the Lambda function with an IAM role and key policy to access an AWS KMS key. Use the KMS key to generate a data key for encrypting all data before writing to /tmp storage.
Explanation
In the AWS Lambda environment, the /tmp directory is ephemeral local storage provided to the function but does not offer built-in encryption. To encrypt data written to /tmp, developers must leverage AWS Key Management Service (KMS). The correct approach is to configure the Lambda function’s IAM role and KMS key policy to allow access to a KMS key, then use that key to generate a data key via KMS APIs (e.g., GenerateDataKey), and use the plaintext data key to encrypt data before writing to /tmp. This ensures confidentiality and aligns with AWS security best practices. Option A is invalid because Lambda does not attach EBS volumes. Option C uses OpenSSL locally but lacks secure key management and rotation. Option D introduces unnecessary complexity and external dependencies not supported natively in Lambda. Thus, option B is correct.