nerdexam
Amazon

DVA-C02 · Question #373

A company has an application that uses an AWS Lambda function to process data. A developer must implement encryption in transit for all sensitive configuration data, such as API keys, that is stored i

The correct answer is D. Create encrypted Lambda environment variables. Specify the customer managed KMS key to. Lambda environment variables support direct KMS encryption, making them the most straightforward way to protect sensitive configuration values used within a Lambda function.

Submitted by carlos_mx· Mar 5, 2026Security

Question

A company has an application that uses an AWS Lambda function to process data. A developer must implement encryption in transit for all sensitive configuration data, such as API keys, that is stored in the application. The developer creates an AWS Key Management Service (AWS KMS) customer managed key. What should the developer do next to meet the encryption requirement?

Options

  • ACreate parameters of the String type in AWS Systems Manager Parameter Store. For each
  • BCreate secrets in AWS Secrets Manager by using the customer managed KMS key. Create a
  • CCreate objects in Amazon S3 for each sensitive data field. Specify the customer managed KMS
  • DCreate encrypted Lambda environment variables. Specify the customer managed KMS key to

How the community answered

(34 responses)
  • A
    18% (6)
  • B
    9% (3)
  • C
    3% (1)
  • D
    71% (24)

Why each option

Lambda environment variables support direct KMS encryption, making them the most straightforward way to protect sensitive configuration values used within a Lambda function.

ACreate parameters of the String type in AWS Systems Manager Parameter Store. For each

Parameter Store String type stores values as plaintext; SecureString type is required for encryption, so this option does not meet the encryption requirement as stated.

BCreate secrets in AWS Secrets Manager by using the customer managed KMS key. Create a

AWS Secrets Manager does support KMS-encrypted secrets, but it requires additional API calls (GetSecretValue) in the Lambda code and adds more operational complexity than encrypting environment variables directly.

CCreate objects in Amazon S3 for each sensitive data field. Specify the customer managed KMS

Storing configuration data as S3 objects is not a standard or efficient pattern for Lambda function configuration and requires additional IAM permissions and S3 API calls at runtime.

DCreate encrypted Lambda environment variables. Specify the customer managed KMS key toCorrect

Lambda allows you to specify a customer managed KMS key to encrypt environment variables at rest. The values are decrypted automatically when the Lambda execution environment initializes, making them directly available to the function code without additional API calls and with the least implementation complexity.

Concept tested: Lambda environment variable encryption with customer managed KMS key

Source: https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice