Securing Lambda environment variables - Amazon Lambda
Managing permissions to your server-side encryption KMS key
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Securing Lambda environment variables

For securing your environment variables, you can use server-side encryption to protect your data at rest and client-side encryption to protect your data in transit.

Note

To increase database security, we recommend that you use Amazon Secrets Manager instead of environment variables to store database credentials. For more information, see Using Amazon Lambda with Amazon RDS.

Security at rest

Lambda always provides server-side encryption at rest with an Amazon KMS key. By default, Lambda uses an Amazon managed key. If this default behavior suits your workflow, you don't need to set up anything else. Lambda creates the Amazon managed key in your account and manages permissions to it for you. Amazon doesn't charge you to use this key.

If you prefer, you can provide an Amazon KMS customer managed key instead. You might do this to have control over rotation of the KMS key or to meet the requirements of your organization for managing KMS keys. When you use a customer managed key, only users in your account with access to the KMS key can view or manage environment variables on the function.

Customer managed keys incur standard Amazon KMS charges. For more information, see Amazon Key Management Service pricing.

Security in transit

For additional security, you can enable helpers for encryption in transit, which ensures that your environment variables are encrypted client-side for protection in transit.

To configure encryption for your environment variables

  1. Use the Amazon Key Management Service (Amazon KMS) to create any customer managed keys for Lambda to use for server-side and client-side encryption. For more information, see Creating keys in the Amazon Key Management Service Developer Guide.

  2. Using the Lambda console, navigate to the Edit environment variables page.

    1. Open the Functions page of the Lambda console.

    2. Choose a function.

    3. Choose Configuration, then choose Environment variables from the left navigation bar.

    4. In the Environment variables section, choose Edit.

    5. Expand Encryption configuration.

  3. (Optional) Enable console encryption helpers to use client-side encryption to protect your data in transit.

    1. Under Encryption in transit, choose Enable helpers for encryption in transit.

    2. For each environment variable that you want to enable console encryption helpers for, choose Encrypt next to the environment variable.

    3. Under Amazon KMS key to encrypt in transit, choose a customer managed key that you created at the beginning of this procedure.

    4. Choose Execution role policy and copy the policy. This policy grants permission to your function's execution role to decrypt the environment variables.

      Save this policy to use in the last step of this procedure.

    5. Add code to your function that decrypts the environment variables. To see an example, choose Decrypt secrets snippet.

  4. (Optional) Specify your customer managed key for encryption at rest.

    1. Choose Use a customer master key.

    2. Choose a customer managed key that you created at the beginning of this procedure.

  5. Choose Save.

  6. Set up permissions.

    If you're using a customer managed key with server-side encryption, grant permissions to any users or roles that you want to be able to view or manage environment variables on the function. For more information, see Managing permissions to your server-side encryption KMS key.

    If you're enabling client-side encryption for security in transit, your function needs permission to call the kms:Decrypt API operation. Add the policy that you saved previously in this procedure to the function's execution role.

Managing permissions to your server-side encryption KMS key

No Amazon KMS permissions are required for your user or the function's execution role to use the default encryption key. To use a customer managed key, you need permission to use the key. Lambda uses your permissions to create a grant on the key. This allows Lambda to use it for encryption.

  • kms:ListAliases – To view keys in the Lambda console.

  • kms:CreateGrant, kms:Encrypt – To configure a customer managed key on a function.

  • kms:Decrypt – To view and manage environment variables that are encrypted with a customer managed key.

You can get these permissions from your Amazon Web Services account or from a key's resource-based permissions policy. ListAliases is provided by the managed policies for Lambda. Key policies grant the remaining permissions to users in the Key users group.

Users without Decrypt permissions can still manage functions, but they can't view environment variables or manage them in the Lambda console. To prevent a user from viewing environment variables, add a statement to the user's permissions that denies access to the default key, a customer managed key, or all keys.

Example IAM policy – Deny access by key ARN
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws-cn:kms:us-west-2:111122223333:key/3be10e2d-xmpl-4be4-bc9d-0405a71945cc"
        }
    ]
}

For details on managing key permissions, see Key policies in Amazon KMS in the Amazon Key Management Service Developer Guide.