A company uses AWS Key Management Service (AWS KMS) keys to encrypt AWS Lambda environment variables. A solutions architect must ensure the correct permissions are in place so the environment variables can be decrypted and used. Which steps must the solutions architect take to implement the required permissions? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Add AWS KMS permissions in the Lambda execution role., Allow the Lambda execution role in the AWS KMS key policy..
Why this is the answer
To decrypt Lambda environment variables, the Lambda function's execution role needs permission to use the KMS key. This is achieved by adding the necessary KMS decryption actions (e.g., kms:Decrypt) to the Lambda execution role's IAM policy. Additionally, the KMS key policy itself must explicitly allow this Lambda execution role to perform those decryption actions. Both steps are crucial: the role needs permission, and the key needs to grant that permission to the role. Adding KMS permissions in the Lambda resource policy or function policy is incorrect because Lambda execution permissions are managed via the execution role. Allowing the Lambda resource policy in the KMS key policy is incorrect as KMS key policies grant permissions to IAM principals (like roles), not resource policies.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed