DVA-C02 · Question #591
A company has many microservices that are comprised of AWS Lambda functions. Multiple teams within the company split ownership of the microservices. An application reads configuration values from envi
The correct answer is B. Create customer managed keys for all Lambda functions. Use the new customer managed keys. Customer-managed KMS keys are required to meet the security policy requirement of team- specific control over KMS key rotation. Each team can manage the lifecycle of its own key. The kms:Decrypt permission allows the Lambda function execution roles to decrypt the environment vari
Question
A company has many microservices that are comprised of AWS Lambda functions. Multiple teams within the company split ownership of the microservices. An application reads configuration values from environment variables that are contained in the Lambda functions. During a security audit, the company discovers that some of the environment variables contain sensitive information. The company's security policy requires each team to have full control over the rotation of AWS KMS keys that the team uses for its respective microservices. Which solution will meet these requirements?
Options
- ACreate AWS managed keys for all Lambda functions. Use the new AWS managed keys to
- BCreate customer managed keys for all Lambda functions. Use the new customer managed keys
- CCreate customer managed keys for all Lambda functions. Use the new customer managed keys
- DCreate AWS managed keys for all Lambda functions. Use the new AWS managed keys to
How the community answered
(40 responses)- A28% (11)
- B53% (21)
- C8% (3)
- D13% (5)
Explanation
Customer-managed KMS keys are required to meet the security policy requirement of team- specific control over KMS key rotation. Each team can manage the lifecycle of its own key. The kms:Decrypt permission allows the Lambda function execution roles to decrypt the environment variables during runtime. This solution adheres to the principle of least privilege and satisfies the need for team-specific
Community Discussion
No community discussion yet for this question.