You are deploying a new Lambda function that needs to use a credit card number to make payments for purchases for internal company employees. This credit card information is used by default when an employee doesn`t provide a purchase order number or another credit card number. What is the most secure and less-costly way to store this information?

Answer options:

A.Use Environment variable with AWS managed key.
B.Use Environment variable with custom KMS key.
C.Use Environment variable with Transport Layer Security (TLS).
D.Assign a variable with credit card information.

Answer: A
Lambda always provides server-side encryption at rest with an AWS KMS key. By default, Lambda uses an AWS-managed key. If this default behavior suits your workflow, you don`t need to set anything else up. Lambda creates the AWS managed key in your account and manages permissions to it for you. AWS doesn`t charge you to use this key.
If you prefer, you can provide an AWS KMS customer-managed key instead. You might do this to have control over the rotation of the KMS key or to meet the requirements of your organization for managing KMS keys. When you use a customer-managed key, only users in your account with access to the KMS key can view or manage environment variables on the function.
Options B is incorrect because it is the distractor, there is nothing like a custom KMS key. The real component is Customer managed keys.
Option C is incorrect because Transport Layer Security (TLS) is used for encryption in transit and When you manage Lambda resources all communication is encrypted in transit with Transport Layer Security (TLS).
Option D is incorrect because this will not secure the credit card information.
Reference:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption
https://aws.amazon.com/kms/pricing/