Security model for Lambda SnapStart - Amazon Lambda
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security model for Lambda SnapStart

Lambda SnapStart supports encryption at rest. Lambda encrypts snapshots with an Amazon KMS key. By default, Lambda uses an Amazon managed key. If this default behavior suits your workflow, then you don't need to set up anything else. Otherwise, you can use the --kms-key-arn option in the create-function or update-function-configuration command to provide an Amazon KMS customer managed key. You might do this to control rotation of the KMS key or to meet the requirements of your organization for managing KMS keys. Customer managed keys incur standard Amazon KMS charges. For more information, see Amazon Key Management Service pricing.

When you delete a SnapStart function or function version, all Invoke requests to that function or function version fail. Lambda automatically deletes snapshots that are not invoked for 14 days. Lambda removes all resources associated with deleted snapshots in compliance with the General Data Protection Regulation (GDPR).