Detections
Analytics

Ensure environment variables are protected using AWS KMS keys for AWS Lambda Functions

HIGH

Description

AWS Lambda functions environment variables can be encrypted using a customer managed key rather than an AWS managed key. This gives customers greater control over key management and is advisable where possible within the AWS ecosystem.

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the Functions page on the Lambda console.
  2. Choose a function to update.
  3. Select Configuration and then Environment variables.
  4. Choose the variable to update and select Edit.
  5. Under Encryption configuration, choose Use a customer master key and select a key from the drop-down list.
  6. Select Save.

In Terraform:

  1. In the aws_lambda_function resource, if an environment block is used for variables, set the kms_key_arn accordingly.

References:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#kms_key_arn

Policy Details

Rule Reference ID: AC_AWS_0457
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_lambda_function
Resource Category: Serverless
Resource Type: Lambda

Frameworks