Q20 — AWS DVA-C02 Ch.3

Question 20 of 100 | ← Chapter 3

A developer is building a secure healthcare application using serverless components. The application must write temporary data to the /tmp storage of an AWS Lambda function.

Correct Answer: B. Configure the Lambda function with an IAM role and key policy to access an AWS KMS key. Use the KMS key to generate a data key for encrypting all data before writing to /tmp storage.

Explanation

In the AWS Lambda environment, the /tmp directory is ephemeral local storage provided to the function but does not offer built-in encryption. To encrypt data written to /tmp, developers must leverage AWS Key Management Service (KMS). The correct approach is to configure the Lambda function’s IAM role and KMS key policy to allow access to a KMS key, then use that key to generate a data key via KMS APIs (e.g., GenerateDataKey), and use the plaintext data key to encrypt data before writing to /tmp. This ensures confidentiality and aligns with AWS security best practices. Option A is invalid because Lambda does not attach EBS volumes. Option C uses OpenSSL locally but lacks secure key management and rotation. Option D introduces unnecessary complexity and external dependencies not supported natively in Lambda. Thus, option B is correct.