Security model for Lambda SnapStart
AWS Lambda SnapStart supports encryption at rest. Lambda encrypts snapshots with an AWS KMS key. By default,
Lambda uses an AWS managed key. If this default behavior suits your workflow, then you don't need to set up
anything else. Otherwise, you can use the --kms-key-arn option in the create-function
If your function is also a durable function, the customer managed key that encrypts SnapStart snapshots is independent of the customer managed key that encrypts durable execution data. For more information, see Encrypting AWS Lambda durable execution data.
When you delete a SnapStart function or function version, all Invoke requests to that function or function version fail. Lambda removes all resources associated with deleted snapshots in compliance with the General Data Protection Regulation (GDPR).