diff --git a/internal-api/src/main/java/datadog/trace/api/Config.java b/internal-api/src/main/java/datadog/trace/api/Config.java
index 6418bab301e..d61b2cccf65 100644
--- a/internal-api/src/main/java/datadog/trace/api/Config.java
+++ b/internal-api/src/main/java/datadog/trace/api/Config.java
@@ -1508,7 +1508,9 @@ private Config(final ConfigProvider configProvider, final InstrumenterConfig ins
         configProvider.getBoolean(WRITER_BAGGAGE_INJECT, isDatadogTraceWriter);
     injectLinksAsTagsEnabled = configProvider.getBoolean(WRITER_LINKS_INJECT, isDatadogTraceWriter);
     String lambdaInitType = getEnv("AWS_LAMBDA_INITIALIZATION_TYPE");
-    if (lambdaInitType != null && lambdaInitType.equals("snap-start")) {
+    String lambdaMicrovmImageArn = ConfigHelper.env("AWS_LAMBDA_MICROVM_IMAGE_ARN");
+    if ((lambdaInitType != null && lambdaInitType.equals("snap-start"))
+        || (lambdaMicrovmImageArn != null && !lambdaMicrovmImageArn.isEmpty())) {
       secureRandom = true;
     } else {
       secureRandom = configProvider.getBoolean(SECURE_RANDOM, DEFAULT_SECURE_RANDOM);
diff --git a/internal-api/src/test/java/datadog/trace/api/ConfigSecureRandomTest.java b/internal-api/src/test/java/datadog/trace/api/ConfigSecureRandomTest.java
new file mode 100644
index 00000000000..8d0e65dc60f
--- /dev/null
+++ b/internal-api/src/test/java/datadog/trace/api/ConfigSecureRandomTest.java
@@ -0,0 +1,46 @@
+package datadog.trace.api;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+
+import datadog.trace.junit.utils.config.WithConfig;
+import datadog.trace.junit.utils.config.WithConfigExtension;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+@ExtendWith(WithConfigExtension.class)
+class ConfigSecureRandomTest {
+
+  @Test
+  void defaultStrategyIsRandom() {
+    assertNotEquals("SRandom", Config.get().getIdGenerationStrategy().getClass().getSimpleName());
+  }
+
+  @Test
+  void snapStartEnablesSecureRandom() {
+    WithConfigExtension.injectEnvConfig("AWS_LAMBDA_INITIALIZATION_TYPE", "snap-start", false);
+
+    assertEquals("SRandom", Config.get().getIdGenerationStrategy().getClass().getSimpleName());
+  }
+
+  @Test
+  void microvmImageArnEnablesSecureRandom() {
+    WithConfigExtension.injectEnvConfig(
+        "AWS_LAMBDA_MICROVM_IMAGE_ARN", "arn:aws:lambda:us-east-1::runtime:microvm", false);
+
+    assertEquals("SRandom", Config.get().getIdGenerationStrategy().getClass().getSimpleName());
+  }
+
+  @Test
+  void emptyMicrovmImageArnDoesNotEnableSecureRandom() {
+    WithConfigExtension.injectEnvConfig("AWS_LAMBDA_MICROVM_IMAGE_ARN", "", false);
+
+    assertNotEquals("SRandom", Config.get().getIdGenerationStrategy().getClass().getSimpleName());
+  }
+
+  @Test
+  @WithConfig(key = "trace.secure-random", value = "true")
+  void configPropertyEnablesSecureRandom() {
+    assertEquals("SRandom", Config.get().getIdGenerationStrategy().getClass().getSimpleName());
+  }
+}