# aws-kms-encrypt , cloudformation decrypt export as env param.

aws-kms-encrypt

# aws-kms-encrypt , cloudformation decrypt export as env param.

aws ssm put-parameter                       \
   --type String                            \
   --name '/YOUR/PARAM/NAME'                \
   --value $(aws kms encrypt                \
              --output text                 \
              --query CiphertextBlob        \
              --key-id <YOUR_KEY_ID>       \
              --plaintext "PLAIN TEXT HERE")



Parameters:
  SomeParameter:
    Type: AWS::SSM::Parameter::Value<String>
    Default: '/your/param/name'        # This is your parameter name
Resources:
  ReceiveLambda:  
    Type: AWS::Serverless::Function
    Properties: 
      Environment:
        Variables:
          SOME_PARAMETER: !Ref SomeParameter



- Effect: Allow
  Action:
    - kms:Decrypt
  Resource: 
    - <KEY_ARN>           # Note, the key ARN, not the key alias ARN


const decrypt = data =>
  new Promise((resolve, reject) =>
    kms.decrypt(
      {
        CiphertextBlob: Buffer.from(data, 'base64')
      },
      (err, data) => {
        if (err) {
          reject(err);
        } else {
          resolve(data.Plaintext.toString());
        }
      }
    )
  );
decrypt(process.env.SOME_PARAMETER).then(param => {
  console.log(param);
});