feat(security): The lambda function should support KMS-key encrypted environment variables

Question

feat(security): The lambda function should support KMS-key encrypted environment variables

Closed this issue 2 years ago · 3 comments

In our corporate environment there is a soft-check to enforce that lambda functions have encrypted environment variables, using a specified KMS key.

The module should be updated to support this functionality.

Answer 1 · 2022-12-10T16:52:00.000Z

You mean encrypting the variable values with the KMS key? Other option would be to use the secrets manager and pass the secret ARN into the function. Should be easier for the users as they do not need access to the KMS key (they probably do not own).

Answer 2 · 2022-12-12T06:51:46.000Z

Hi @kayman-mk, thanks for the feedback.

Our corporate policy detects that lambda environment variables should be encrypted, by passing the kms_key_arn variable for the aws_lambda_function resource. So I want to add functionality for that.

In our environment we have kms_keys that anyone in the account can use, permissions to the keys is less of an issue for us.

Using a secret is a nice idea, I hadn't thought of that before.
I think in this case, it is introducing another service / dependency / complexity with a slight extra cost.

Answer 3 · 2022-12-14T11:05:49.000Z

This issue has been resolved in version 2.0.0 🎉