Menu
I am working on an AWS CloudFormation template that includes a Lambda function with sensitive environment variables. I'd like to set up a KMS key and encrypt them with it, which is easy to do in the console but proving very difficult to do in CloudFormation.
Can anyone please post a basic CloudFormation JSON object for a Lambda with at least one environment variable that is encrypted using a KMS key, as well as the JSON for creating that key?
693
You can use environment variables to store secrets securely for use with Lambda functions. Lambda always encrypts environment variables at rest. By default, Lambda uses an AWS KMS key that Lambda creates in your account to encrypt your environment variables. This AWS managed key is named aws/lambda .
Using AWS CloudFormation to deploy AWS Lambda functions provides a reliable, reproducible and version-able deployment mechanism. But while simple deployments are easily achieved, it can be challenging to produce templates that seamlessly deploy to any AWS Region supported by Lambda.
It looks like there's a feature request up for it currently, in AWS' serverless-application-model project: https://github.com/awslabs/serverless-application-model/issues/48
However, at the moment there is no way to encrypt individual environment variables via CloudFormation. As for setting up the KMS key itself with CloudFormation, see the following: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html
After creating the KMS Key resource, you can use it in your Lambda Function by specifying a KmsKeyArn property in your Function's properties.
102
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
