Exam AWS Certified Security - Specialty topic 1 question 141 discussion

B and C, I'm 99% sure after doing the research. Lambda uses the Encrypt and Decrypt calls, rather than GenerateDataKey which is for envelope encryption. This documentation helps understand that https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html To use a customer managed CMK, you need permission to use the key. Lambda uses your permissions to create a grant on the key. This allows Lambda to use it for encryption: - kms:ListAliases – To view keys in the Lambda console. - kms:CreateGrant, kms:Encrypt – To configure a customer managed CMK on a function. - kms:Decrypt – To view and manage environment variables that are encrypted with a customer managed CMK. A: VPC is not relevant. B: Lambda needs to be able to decrypt the parameter values the developer stored. C: Developer needs to be able to encrypt data to be stored in the parameter. D: No, lambda parameters use direct encryption not envelope encryption E: Lambda decrypts the parameters the developer stores, it doesn't need to encrypt.

B&C B: Lambda function role must have the KMS permissions to decrypt and use the environment variables in plaintext. C: The developer must have access to the CMK in order to encrypt the variables

BE is the correct answer, as Lambda needs both encrypt and decrypt access. C is wrong as it asks for Developer access not Lambda.

B is understandable. C is the best of the rest, yet I don't get why the developer needs to be able to "use" the key. No, he doesn't need to.

B. The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy. C. The KMS key policy must allow permissions for the Developer to use the KMS key. These permissions ensure that the Lambda function can decrypt environment variables secured with the specified KMS key.

B&E is really 100% correct, Because https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html

https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption It states the following are required: kms:ListAliases – To view keys in the Lambda console. kms:CreateGrant, kms:Encrypt – To configure a customer managed key on a function. kms:Decrypt – To view and manage environment variables that are encrypted with a customer managed key. You can get these permissions from your AWS account or from a key's resource-based permissions policy. ListAliases is provided by the managed policies for Lambda. Key policies grant the remaining permissions to users in the Key users group. B provides the Decrypt permission via policy for Lambda. C is required for the initial set up of the Lamdba function

"No AWS KMS permissions are required for your user or the function's execution role to use the default encryption key. To use a customer managed key, you need permission to use the key." This strongly suggests C. https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#managing-permissions-to-your-server-side-encryption-key Answer D "kms:GenerateDataKey" would be needed for other services, but not Lambda. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse

Amazon Cognito user pools allow sign-in through a third party (federation), including through a SAML IdP such as AD FS. For more information, see Adding user pool sign-in through a third party and Adding SAML identity providers to a user pool. You can set up an AD FS server and domain controller on an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance, and then integrate your setup with your user pool using Amazon Cognito's hosted web UI.

For the Developer to create an AWS Lambda function that requires environment variables to store connection information and logging settings using an AWS KMS CMK supplied by the Information Security department, the following configurations are required: B. The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy. C. The KMS key policy must allow permissions for the Developer to use the KMS key. The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy, as this permission allows the function to decrypt the data stored in the environment variables. The KMS key policy must allow permissions for the Developer to use the KMS key, as this allows the Developer to encrypt and decrypt data using the key.

https://stackoverflow.com/questions/66543870/aws-kms-why-do-i-need-the-kmsdecrypt-permission-when-i-try-to-encrypt-data

Based on the definition from the aws docs Lambda uses your permissions to create a grant on the key. This allows Lambda to use it for encryption. kms:ListAliases – To view keys in the Lambda console. kms:CreateGrant , kms:Encrypt – To configure a customer managed key on a function. Answer - BD

B: kms:Decrypt – To view and manage environment variables that are encrypted with a customer managed key. C: Lambda uses your permissions to create a grant on the key. Lambda doesnt need explicit encrypt permission it uses the created grant.

No need Encrypt in here

Since the CMK has already been created by security team, my understanding is that the execution role needs the decrypt permission (B) to read the environment variables from parameters store and the encrypt permission (E) to store logs files. Option C is wrong because who needs permission is the Lambda Execution role not the developer. Option D could be as well, but it seems that "lambda parameters use direct encryption not envelope encryption"...

E - you must GRANT YOUR LAMBDA KMS PERMISSIONS

BE, developer will use the key through Lambda Function