A developer is building a highly secure healthcare application using serverless components. This application requires writing temporary data to /tmp storage on an AWS Lambda function.
How should the developer encrypt this data?
A.
Enable Amazon EBS volume encryption with an AWS KMS key in the Lambda function configuration so that all storage attached to the Lambda function is encrypted.
B.
Set up the Lambda function with a role and key policy to access an AWS KMS key. Use the key to generate a data key used to encrypt all data prior to writing to /tmp storage.
C.
Use OpenSSL to generate a symmetric encryption key on Lambda startup. Use this key to encrypt the data prior to writing to /tmp.
D.
Use an on-premises hardware security module (HSM) to generate keys, where the Lambda function requests a data key from the HSM and uses that to encrypt data on all requests to the function.
Yep, B is correct. /tmp doesn't provide a direct way to ecnrypt at rest also because it is intended to be a temporary folder. So, we have to use the GenerateDataKey API and encrypt the data in the function before send it to /tmp folder. Remember to configure the permission to the function for read key and encrypt files. B is the correct answer.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rcaliandro
1 year, 10 months agoKrt5894
2 years, 3 months agomichaldavid
2 years, 5 months agok1kavi1
2 years, 5 months agok1kavi1
2 years, 5 months ago