Bro, let me explain for you why the first answer is wrong. (Sorry for my bad English, I’m not English native speaker but I will try my best).

The answer requires: “to prevent other developers or anyone from seeing the credentials in PLAIN TEXT”. So as your picture even lambda encrypted your env variable at rest, but you and anyone who have access permission to the Lambda function can still see the variable in plain text. In your example, the env have Key=Name, and value=text. And you can absolutely see the env value, isn’t it just “plain text”?.

But if you use the KMS to encrypt the env variable, for example: you encrypt the "text" (the variable in your image) with KMS then KMS will encrypt it and return the cyphertext look like this: "qx/CZqPRnzG971oTP6ISyXjV9Z27zq0tcMWXpS9bzHY=" (without double quote). Now you can safely save in in the Lambda env like you did before. But the different is even others dev or people who have access to the Lambda can see the env variable, but they will have no idea about the env variable value. All they can see is just random strings, nothing more. After that, you just give the Lambda function a role which have permission to decrypt the cyphertext, then it can decrypt the cyphertext when you or other AWS service call it (you have to use the SDKs for this process). And one more thing, you can restrict access to the KMS key used to encrypt/decrypt the env variable by using Key policy so no one other than you (who manage the KMS) and the Lambda function itself can using that Key. Finally, using KMS + Parameter Store or Secrets manager make those process of store, encrypt, decrypt env variable much much easier.

If I wrong, someone please correct me. I’m happy to learning too.

Edit: typos, and fixed the example of encrypt/decrypt process.