Exam AWS Certified Developer Associate topic 1 question 376 discussion

Answer is A. The error occurs not when Lambda tries to access KMS key, but when the DEVELOPER does.

Option B is the correct answer because the Lambda function is the entity that needs access to the KMS key in order to encrypt its environment variables. Therefore, the developer needs to set an IAM policy that allows the Lambda function to have appropriate access to the KMS key. When configuring an AWS KMS customer managed key for use with a Lambda function's environment variables, the key must be accessible by the Lambda function's execution role. By default, the Lambda function's execution role does not have permissions to use any KMS keys.

The problem ocurs when the developer tries to interact with kms. Its A.

B. Set an IAM policy that allows the Lambda function to have appropriate access to the KMS key. The developer should set an IAM policy that grants the Lambda function appropriate permissions to access the KMS key. This can be done by creating an IAM role with the necessary permissions and then associating it with the Lambda function. The policy should include actions such as "kms:Encrypt" and "kms:Decrypt" permissions for the specific KMS key. Once the policy is set, the developer should re-attempt configuring the KMS key for the environment variables.

This is not related with lambda execution. Keyword - 'When the developer attempts to configure the KMS key for the environment variables' So, it's A.

ans: A KMS Exception: AccessDeniedException KMS Message https://aws.amazon.com/premiumsupport/knowledge-center/lambda-kmsaccessdeniedexception-errors/