Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

In AWS Lambda, where can I securely store API Credentials?

I have a lambda function configured through the API Gateway that is supposed to hit an external API via Node (ex: Twilio). I don't want to store the credentials for the functions right in the lambda function though. Is there a better place to set them?

like image 953
Toli Avatar asked Feb 09 '16 17:02

Toli


People also ask

What is the most secure way to store passwords on AWS?

Encrypt your secret data Secrets Manager encrypts the protected text of a secret by using AWS Key Management Service (AWS KMS). Many AWS services use AWS KMS for key storage and encryption. AWS KMS ensures secure encryption of your secret when at rest.

Is API gateway to Lambda encrypted?

Since API Gateway uses Lambda API and Lambda API is only supported on HTTPS, it makes sense to assume communication between API Gateway and Lambda is encrypted. Show activity on this post. The short answer is yes.


2 Answers

While I haven't done it myself yet, you should be able to leverage AWS KMS to encrypt/decrypt API keys from within the function, granting the Lambda role access to the KMS keys.

like image 31
Michael Lapidakis Avatar answered Sep 22 '22 05:09

Michael Lapidakis


The functionality to do this was probably added to Lambda after this question was posted.

AWS documentation recommends using the environment variables to store sensitive information. They are encrypted (by default) using the AWS determined key (aws/lambda) when you create a Lambda function using the AWS Lambda console.

It leverages AWS KMS and allows you to either: use the key determined by AWS, or to select your own KMS key (by selecting Enable encryption helpers); you need to have created the key in advance.

From AWS DOC 1...

"When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service. When your Lambda function is invoked, those values are decrypted and made available to the Lambda code.

The first time you create or update Lambda functions that use environment variables in a region, a default service key is created for you automatically within AWS KMS. This key is used to encrypt environment variables. However, should you wish to use encryption helpers and use KMS to encrypt environment variables after your Lambda function is created, then you must create your own AWS KMS key and choose it instead of the default key. The default key will give errors when chosen."

The default key certainly does 'give errors when chosen' - which makes me wonder why they put it into the dropdown at all.

Sources:

  • AWS Doc 1: Introduction: Building Lambda Functions » Environment Variables
  • AWS Doc 2: Create a Lambda Function Using Environment Variables To Store Sensitive Information
like image 153
Nigel Avatar answered Sep 22 '22 05:09

Nigel