Configuring Secure and Flexible Lambda Functions | SAA-C03 Exam Guide

Secure Configuration of Lambda Functions

Prev Question Next Question

Question

You are a solutions architect working for a social media company that provides a place for civil discussion of political and news-related events.

Due to the ever-changing regulatory requirements and restrictions placed on social media apps that provide these services, you need to build your app in a very highly flexible environment that you can change instantly without updating code.

You have chosen to build the REST API endpoints used by your social media app user interface code using Lambda.

How can you securely configure your Lambda functions so that you can achieve the flexibility required by your app? (Select TWO)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answers: B and C.

Option A is incorrect.

Sending environment variables to your Lambda function as request parameters would expose the environment variables as plain text.

This is not a secure approach.

Option B is correct.

Lambda key configuration allows you to have your Lambda functions use an encryption key.

You create the key in AWS KMS.

The key is used to encrypt the environment variables that you can use to change your function without deploying any code.

Option C is correct.

Encryption helpers make your lambda function more secure by allowing you to encrypt your environment variables before they are sent to Lambda.

Option D is incorrect.

Lambda layers are used to package common code such as libraries, configuration files, or custom runtime images.

Layers will not give you the same flexibility as environment variables for use in managing change without deploying any code.

Option E is incorrect.

Lambda aliases are used to refer to a specific version of your Lambda function.

You could switch between many versions of your Lambda function, but you would have to deploy new code to create a different version of your Lambda function.

References:

Please see the AWS Lambda developer guide titled Data protection in AWS Lambda (https://docs.aws.amazon.com/lambda/latest/dg/security-dataprotection.html), the AWS Lambda developer guide titled Lambda concepts (https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer), the AWS Lambda developer guide titled Lambda function aliases (https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html), and the AWS Lambda developer guide titled Using AWS Lambda environment variables (https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html)

To achieve the required flexibility and security for the REST API endpoints of a social media app, two possible solutions are:

A. Pass environment variables to your Lambda function via the request header sent to your API Gateway methods.

API Gateway allows you to map request parameters to Lambda function environment variables. You can use this feature to configure your Lambda functions securely without updating code. For example, you can set environment variables for database credentials or API keys, and map them to request parameters such as headers or query strings. This way, you can change the environment variables at any time without redeploying your Lambda function, and the changes will be effective immediately. This approach allows you to achieve flexibility while maintaining security because the environment variables are not exposed in the code and are only available to the Lambda function.

B. Use Lambda aliases.

Lambda aliases provide a way to publish multiple versions of a Lambda function under a single Amazon Resource Name (ARN). You can use aliases to route traffic to specific versions of the function, allowing you to implement flexible and secure deployment strategies. For example, you can have a production alias that points to the latest stable version of your Lambda function, and a staging alias that points to a new version that is being tested. You can also configure different aliases to use different resource policies or environment variables, providing fine-grained control over the function's behavior. This approach allows you to achieve flexibility while maintaining security because you can control access to different versions of the function using IAM roles and policies.

C, D, and E are incorrect options for this scenario:

C. Use encryption helpers

Encryption helpers are libraries that help you encrypt and decrypt data in your Lambda function. While encryption is important for securing data at rest and in transit, it does not address the requirement for flexibility in this scenario. Encryption helpers do not allow you to configure your Lambda function without updating code, and therefore do not meet the requirements of the question.

D. Use Lambda layers

Lambda layers are a way to package and share libraries, custom runtimes, and other function dependencies across multiple Lambda functions. While Lambda layers can help you manage dependencies and reduce code duplication, they do not provide the required flexibility for this scenario. Lambda layers do not allow you to configure your Lambda function without updating code, and therefore do not meet the requirements of the question.

E. Use key configuration

Key configuration typically refers to the process of generating and managing API keys that are used to authenticate and authorize access to API Gateway endpoints. While API keys are an important part of securing API endpoints, they do not provide the required flexibility for this scenario. API keys are typically used to restrict access to specific endpoints, rather than to configure Lambda functions, and therefore do not meet the requirements of the question.