AWS Lambda Function Encryption and DynamoDB Integration | DVA-C01 Exam Guide

Encrypting Bank Account Information in AWS Lambda and Saving to DynamoDB

Prev Question Next Question

Question

You are developing an application that is using AWS Lambda.

A Lambda function is placed in a private subnet which does not have access to internet.

This Lambda function will receive bank account information as a JSON object.

This JSON is about 7 Kb of size.

You need to encrypt this information and then save it to DynamoDB.

Which approach could satisfy this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A.

Option A is CORRECT because the Lambda function is placed in a subnet with no internet access, so it will need the KMS VPC endpoint in order to work with KMS.

Because the JSON object is bigger than 4kb you will need to encrypt using Envelope Encryption.

More details: https://lobster1234.github.io/2017/09/29/aws-kms-envelope-encryption/

OptionB is incorrect because the Lambda Function needs internet access in order to communicate with KMS.

More details: https://aws.amazon.com/blogs/security/how-to-connect-directly-to-aws-key-management-service-from-amazon-vpc-by-using-an-aws-privatelink-endpoint/

Option C is incorrect because the JSON object is 7Kb of size and the maximum size allowed with the KMS encryption() method is 4kb.

More details: https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html.

Option D is incorrect because the Lambda Function needs internet access in order to communicate with KMS.

More details: https://aws.amazon.com/blogs/security/how-to-connect-directly-to-aws-key-management-service-from-amazon-vpc-by-using-an-aws-privatelink-endpoint/

The correct answer is A: Create a VPC Endpoint in the Lambda VPC for the KMS Service. Generate a new Customer Master Key. Encrypt the JSON data using KMS Envelope Encryption. Upload the encrypted data to DynamoDB.

Here is a detailed explanation of why this is the best approach:

  1. Create a VPC Endpoint in the Lambda VPC for the KMS Service: The Lambda function is in a private subnet that does not have internet access, so it cannot directly access the KMS service, which is a managed service that provides encryption keys. To enable the Lambda function to use KMS, we need to create a VPC endpoint in the Lambda VPC for the KMS service. A VPC endpoint is a private connection between the VPC and the KMS service, which does not require internet access.

  2. Generate a new Customer Master Key: A Customer Master Key (CMK) is a logical representation of a master key in KMS. It is used to encrypt and decrypt data. In this case, we need to generate a new CMK to encrypt the bank account information.

  3. Encrypt the JSON data using KMS Envelope Encryption: KMS Envelope Encryption is a technique used to encrypt large amounts of data with KMS. It uses a data encryption key (DEK) to encrypt the data, and then encrypts the DEK with the CMK. This allows us to encrypt the large JSON object without hitting the maximum size limit of KMS encryption.

  4. Upload the encrypted data to DynamoDB: After encrypting the JSON data, we can upload it to DynamoDB, a fully managed NoSQL database service provided by AWS. DynamoDB allows us to store and retrieve data with high availability and durability.

Option B is incorrect because it does not specify how the Lambda function can access KMS in a private subnet. Option C is incorrect because it mentions the use of the encrypt() method, which is not a valid method for encrypting data with KMS. Option D is incorrect because it does not specify how the Lambda function can access KMS in a private subnet.