Correct Answer: A.
Option A is CORRECT because the Lambda function is placed in a subnet with no internet access, so it will need the KMS VPC endpoint in order to work with KMS.
Because the JSON object is bigger than 4kb you will need to encrypt using Envelope Encryption.
More details: https://lobster1234.github.io/2017/09/29/aws-kms-envelope-encryption/
OptionB is incorrect because the Lambda Function needs internet access in order to communicate with KMS.
More details: https://aws.amazon.com/blogs/security/how-to-connect-directly-to-aws-key-management-service-from-amazon-vpc-by-using-an-aws-privatelink-endpoint/
Option C is incorrect because the JSON object is 7Kb of size and the maximum size allowed with the KMS encryption() method is 4kb.
More details: https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html.
Option D is incorrect because the Lambda Function needs internet access in order to communicate with KMS.
More details: https://aws.amazon.com/blogs/security/how-to-connect-directly-to-aws-key-management-service-from-amazon-vpc-by-using-an-aws-privatelink-endpoint/
The correct answer is A: Create a VPC Endpoint in the Lambda VPC for the KMS Service. Generate a new Customer Master Key. Encrypt the JSON data using KMS Envelope Encryption. Upload the encrypted data to DynamoDB.
Here is a detailed explanation of why this is the best approach:
Create a VPC Endpoint in the Lambda VPC for the KMS Service: The Lambda function is in a private subnet that does not have internet access, so it cannot directly access the KMS service, which is a managed service that provides encryption keys. To enable the Lambda function to use KMS, we need to create a VPC endpoint in the Lambda VPC for the KMS service. A VPC endpoint is a private connection between the VPC and the KMS service, which does not require internet access.
Generate a new Customer Master Key: A Customer Master Key (CMK) is a logical representation of a master key in KMS. It is used to encrypt and decrypt data. In this case, we need to generate a new CMK to encrypt the bank account information.
Encrypt the JSON data using KMS Envelope Encryption: KMS Envelope Encryption is a technique used to encrypt large amounts of data with KMS. It uses a data encryption key (DEK) to encrypt the data, and then encrypts the DEK with the CMK. This allows us to encrypt the large JSON object without hitting the maximum size limit of KMS encryption.
Upload the encrypted data to DynamoDB: After encrypting the JSON data, we can upload it to DynamoDB, a fully managed NoSQL database service provided by AWS. DynamoDB allows us to store and retrieve data with high availability and durability.
Option B is incorrect because it does not specify how the Lambda function can access KMS in a private subnet. Option C is incorrect because it mentions the use of the encrypt() method, which is not a valid method for encrypting data with KMS. Option D is incorrect because it does not specify how the Lambda function can access KMS in a private subnet.