AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK
Description
The AWSConfigRemediation-EncryptLambdaEnvironmentVariablesWithCMK
runbook encrypts, at rest, the environment variables for the Amazon Lambda (Lambda)
function you specify using an Amazon Key Management Service (Amazon KMS) customer managed key. This runbook should only
be used as a baseline to ensure that your Lambda function's environment variables are
encrypted according to minimum recommended security best practices. We recommend
encrypting multiple functions with different customer managed keys.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
FunctionName
Type: String
Description: (Required) The name or ARN of the Lambda function whose environment variables you want to encrypt.
-
KMSKeyArn
Type: String
Description: (Required) The ARN of the Amazon KMS customer managed key you want to use to encrypt your Lambda function's environment variables.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
lambda:GetFunctionConfiguration -
lambda:UpdateFunctionConfiguration
Document Steps
-
aws:waitForAwsResourceProperty- Waits for theLastUpdateStatusproperty to beSuccessful. -
aws:executeAwsApi- Encrypts the environment variables for the Lambda function you specify in theFunctionNameparameter using the Amazon KMS customer managed key you specify in theKMSKeyArnparameter. -
aws:assertAwsResourceProperty- Confirms encryption is enabled on the environment variables for your Lambda function.