You are creating a Lambda function that will be accessing a database.
Due to compliance reasons, all database connecting strings must be stored encrypted at rest.
How can you accomplish this in the Lambda function? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B and D.
Option A is incorrect.
The connection string is assigned to an environment variable within a Lambda function.
We cannot directly put the connection string into the lambda function.
Option B is correct.
The connection string is assigned to an environment variable within a Lambda function.
Option C is incorrect.
You need to enable encryption for the environment variable and not the lambda function.
Option D is correct.
You need to enable encryption for the environment variable.
You can do this via Environment variables as mentioned in the AWS Documentation.
Expand the Environment variables section.
Enter your key-value pair.
Expand the Encryption configuration section.
Note that Lambda provides a default service key under the KMS key to encrypt at rest which encrypts your information after uploading.
If the information you provided is sensitive, you can additionally check the Enable helpers for encryption in transit checkbox and supply a custom key.
This masks the value you entered and results in a call to AWS KMS to encrypt the value and return it as Ciphertext.
If you haven't created a KMS key for your account, you will be provided a link to the AWS IAM console to create one.
The account must have encrypt and decrypt permissions for that key.
Note that the Encrypt button toggles to Decrypt after you choose it.
This affords you the option to update the information.
Once you have done that, choose the Encrypt button.
The Code button provides sample decrypt code specific to the runtime of your Lambda function that you can use with your application.
Because of what is mentioned in the documentation, all other options are invalid.
For more information on environment variables in Lambda, please refer to the below URL-
https://docs.aws.amazon.com/lambda/latest/dg/tutorial-env_console.htmlOption A is not a good choice as it would mean storing the database connection string in plaintext inside the Lambda function code. This can be a security risk as anyone with access to the function code could see the database credentials.
Option B is a better choice because you can use AWS Key Management Service (KMS) to encrypt the environment variable holding the database connection string. This way, the database credentials are encrypted at rest and are only decrypted when needed by the Lambda function. To do this, you can create a KMS key, grant the Lambda function permission to use the key, and then encrypt the environment variable holding the database connection string with that key.
Option C is not necessary because it would mean encrypting the entire function code, including the environment variables, which would make it difficult to use and maintain the function.
Option D is a valid choice as well. If you only want to encrypt the environment variable holding the database connection string, you can create a KMS key and use it to encrypt that specific environment variable. This way, the other environment variables are not encrypted and can be used without decryption.
Overall, the best approach would be to use Option B or Option D, depending on whether you want to encrypt all environment variables or just the one holding the database connection string.