Answer-first summary for fast verification
Answer: Add AWS KMS permissions in the Lambda execution role., Allow the Lambda execution role in the AWS KMS key policy.
## Explanation When using AWS KMS keys to encrypt Lambda environment variables, two key permissions need to be configured: ### **B. Add AWS KMS permissions in the Lambda execution role.** - The Lambda execution role is the IAM role that the Lambda function assumes when it runs. - This role needs permissions to call KMS API operations like `kms:Decrypt` to decrypt the environment variables at runtime. - Without these permissions in the execution role, the Lambda function cannot decrypt the environment variables when it executes. ### **D. Allow the Lambda execution role in the AWS KMS key policy.** - KMS key policies control who can use the KMS key. - The key policy must explicitly grant the Lambda execution role permission to use the key for decryption operations. - Even if the execution role has KMS permissions, the key policy must also allow the role to use that specific key. ### Why the other options are incorrect: **A. Add AWS KMS permissions in the Lambda resource policy.** - Lambda resource policies control who can invoke the Lambda function, not what the function can do during execution. - Resource policies are for cross-account access and event source mappings, not for granting KMS decryption permissions. **C. Add AWS KMS permissions in the Lambda function policy.** - There is no such thing as a "Lambda function policy" in AWS. - Lambda uses execution roles (IAM roles) for permissions, not function-specific policies. **E. Allow the Lambda resource policy in the AWS KMS key policy.** - This doesn't make sense because resource policies are attached to Lambda functions, not principals that need KMS access. - KMS key policies need to reference IAM roles/users, not resource policies. ### Key Concepts: 1. **IAM Execution Role**: Grants permissions to the Lambda function during execution 2. **KMS Key Policy**: Controls access to the KMS key itself 3. **Both are required**: The execution role needs KMS permissions, AND the key policy must allow the execution role to use the key This dual-permission model follows the AWS security best practice of least privilege and ensures that only authorized Lambda functions can decrypt sensitive environment variables.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is using AWS Key Management Service (AWS KMS) keys to encrypt AWS Lambda environment variables. A solutions architect needs to ensure that the required permissions are in place to decrypt and use the environment variables.
Which steps must the solutions architect take to implement the correct permissions? (Choose two.)
A
Add AWS KMS permissions in the Lambda resource policy.
B
Add AWS KMS permissions in the Lambda execution role.
C
Add AWS KMS permissions in the Lambda function policy.
D
Allow the Lambda execution role in the AWS KMS key policy.
E
Allow the Lambda resource policy in the AWS KMS key policy.