Sleavely/README.md

## README.md

      
    Raw
  

              README.md
            
          
    This Lambda showcases how you can prohibit certain users from seeing or interacting with the environment variables of a Lambda.

Deployment assumes that you use aws cloudformation package followed by aws cloudformation deploy. Here's a suggested Makefile for allowing you to type make deploy. Note that the S3DEPLOYBUCKET and SECRET_PASSWORD variables need to be changed:
SECRET_PASSWORD    ?= pancakes
S3DEPLOYBUCKET      = my-s3-bucket
S3PATHPREFIX       := cloudformation
AWS_DEFAULT_REGION ?= eu-west-1

package = aws cloudformation package \
    --template-file cloudformation.yaml \
    --output-template-file dist/cloudformation.dist.yaml \
    --s3-bucket $(S3DEPLOYBUCKET) \
    --s3-prefix $(S3PATHPREFIX)

deploy = aws cloudformation deploy --template-file dist/cloudformation.dist.yaml \
    --stack-name kms-env-vars-test \
    --region $(AWS_DEFAULT_REGION) \
    --parameter-overrides \
      SECRETPASSWORD=$(SECRET_PASSWORD) \
    --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
    --s3-bucket $(S3DEPLOYBUCKET) \
    --s3-prefix $(S3PATHPREFIX) \
    
deploy:
	@echo "Resetting dist directory"
	@rm -rf dist
	@mkdir -p dist

	@echo "Building deployment package"
	@cp index.js dist/index.js
	$(call package)

	@echo "Deploying CloudFormation"
	$(call deploy)

	@echo "Cleaning up"
	@rm -rf dist
	@echo "Done!"

  
## cloudformation.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: Encrypted ENV vars example
Transform: AWS::Serverless-2016-10-31

Parameters:
  SECRETPASSWORD:
    Type: String

Globals:
  Function:
    Runtime: nodejs12.x
    Timeout: 30
    Tracing: Active

Resources:

  KmsKey:
    Type: AWS::KMS::Key
    Properties:
      Description: !Sub Experimental key for encrypting Lambda ENV vars
      KeyPolicy:
        Version: 2012-10-17
        Id: underrated-policy
        Statement:
          # Allow key administration
          - Sid: Allow key administration
            Effect: Allow
            Principal:
              AWS:
                - !Sub ${AWS::AccountId}
            Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Encrypt
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:TagResource
              - kms:UntagResource
              - kms:ScheduleKeyDeletion
              - kms:CancelKeyDeletion
            Resource: '*'
          # ... but prohibit decryption
          - Sid: Deny some users to see the values
            Effect: Deny
            Principal:
              AWS:
                - !Sub ${AWS::AccountId}
            Action:
              - kms:Decrypt
            Resource: '*'

  TestLambda:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${PROJECT}-${SERVICE}-testLambda
      CodeUri: ./dist/
      Handler: index.handler
      Description: Lambda to test KMS ENV-var encryption
      KmsKeyArn: !GetAtt KmsKey.Arn
      Environment:
        Variables:
          PASSWORD: !Sub ${SECRETPASSWORD}
      Policies:
        - Version: 2012-10-17
          Statement:
            - Effect: Allow
              Action:
                - kms:Decrypt
              Resource:
                - !GetAtt KmsKey.Arn

  TestLambdaLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /aws/lambda/${TestLambda}
      RetentionInDays: 30

## index.js

const {
  PASSWORD = '<not set>',
} = process.env

exports.handler = async () => {
  console.log(`process.env.PASSWORD is: ${PASSWORD}`)
}
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Encrypted ENV vars example
	Transform: AWS::Serverless-2016-10-31

	Parameters:
	SECRETPASSWORD:
	Type: String

	Globals:
	Function:
	Runtime: nodejs12.x
	Timeout: 30
	Tracing: Active

	Resources:

	KmsKey:
	Type: AWS::KMS::Key
	Properties:
	Description: !Sub Experimental key for encrypting Lambda ENV vars
	KeyPolicy:
	Version: 2012-10-17
	Id: underrated-policy
	Statement:
	# Allow key administration
	- Sid: Allow key administration
	Effect: Allow
	Principal:
	AWS:
	- !Sub ${AWS::AccountId}
	Action:
	- kms:Create*
	- kms:Describe*
	- kms:Enable*
	- kms:List*
	- kms:Put*
	- kms:Update*
	- kms:Encrypt
	- kms:Revoke*
	- kms:Disable*
	- kms:Get*
	- kms:Delete*
	- kms:TagResource
	- kms:UntagResource
	- kms:ScheduleKeyDeletion
	- kms:CancelKeyDeletion
	Resource: '*'
	# ... but prohibit decryption
	- Sid: Deny some users to see the values
	Effect: Deny
	Principal:
	AWS:
	- !Sub ${AWS::AccountId}
	Action:
	- kms:Decrypt
	Resource: '*'

	TestLambda:
	Type: AWS::Serverless::Function
	Properties:
	FunctionName: !Sub ${PROJECT}-${SERVICE}-testLambda
	CodeUri: ./dist/
	Handler: index.handler
	Description: Lambda to test KMS ENV-var encryption
	KmsKeyArn: !GetAtt KmsKey.Arn
	Environment:
	Variables:
	PASSWORD: !Sub ${SECRETPASSWORD}
	Policies:
	- Version: 2012-10-17
	Statement:
	- Effect: Allow
	Action:
	- kms:Decrypt
	Resource:
	- !GetAtt KmsKey.Arn

	TestLambdaLogGroup:
	Type: AWS::Logs::LogGroup
	Properties:
	LogGroupName: !Sub /aws/lambda/${TestLambda}
	RetentionInDays: 30

	const {
	PASSWORD = '<not set>',
	} = process.env

	exports.handler = async () => {
	console.log(`process.env.PASSWORD is: ${PASSWORD}`)
	}