I’m struggling with providing sensitive information like a password or api key to a Lambda:
In the AWS docs it says: When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service.
But they also mention
Storing Sensitive Information
For sensitive information, such as database passwords, we recommend you use client-side encryption using
AWS Key Management Service and store the resulting values as Ciphertext in your environment variable.
You will need to include logic in your Lambda function code to decrypt these values.
So in the end the Lambda function needs a password/key to decrypt the Ciphertext. How do I safely provide the Lambda function with this password/key? How is this safer than just passing in the environment variable as plaintext and then Lambda storing it in KMS?
any ideas?
Resource: http://docs.aws.amazon.com/lambda/latest/dg/env_variables.html
Using KMS to decrypt the ciphertext as part of your Lambda is safer for a couple reasons:
GetFunctionConfiguration
API call. This is important, because people with "production" access don't need to be able to see the DB passwords in plaintext all the time. And you can't lock down that API call without totally crippling their ability to use Lambda.All of these answers basically come down to "security is like a good parfait: more layers are good." KMS is good at controlling who (or what services) can access secrets, and it would be a major pain to reinvent that in Lambda (with env vars) so they're encouraging you to leverage that if you need it (or are required by $REGULATIONS).