You are setting up AWS Lambda function to receive messages from SQS queue, process the message body and insert one record in MySQL RDS instance. You have setup SQS event trigger as AWS Lambda function. However, for connecting to RDS instance, you need MySQL details such as hostname, username and password. Where would you configure them?

Answer options:

A.Use environment variables to pass configuration. They are automatically encrypted by AWS default KMS keys and decrypted when used in Lambda function.
B.Use environment variables to pass configuration. Use encryption helpers to encrypt sensitive information by your own KMS key. Decrypt the variable using decryption helper code provided in the console.
C.Use properties file in AWS Lambda function for any such configuration. Properties files are encrypted by AWS in transit and at rest.
D.Store such configuration in AWS S3 bucket and enable encryption on S3 bucket. Perform S3 get object to get the configuration details in the Lambda function code.

Answer: B
 https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html?shortFooter=true

Option A is not correct. The statement is true, however the encryption only happens after deployment of lambda function.
 Option C is not a valid statement.
Option D looks correct. However, out of given options, Option B is more valid and recommended.