Providing sensitive information to a Lambda

question.md

I’m struggling with providing sensitive information like a password or api key to a Lambda:

In the AWS docs it says: When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service.

But they also mention

Storing Sensitive Information

For sensitive information, such as database passwords, we recommend you use client-side encryption using
AWS Key Management Service and store the resulting values as Ciphertext in your environment variable.
You will need to include logic in your Lambda function code to decrypt these values.

So in the end the Lambda function needs a password/key to decrypt the Ciphertext. How do I safely provide the Lambda function with this password/key? How is this safer than just passing in the environment variable as plaintext and then Lambda storing it in KMS?

any ideas?

Resource: http://docs.aws.amazon.com/lambda/latest/dg/env_variables.html

just wow, thx so much for clarifying!

To add some extra info: You don't want to use KMS as the direct Encrypt/Decrypt API from Lambda, as you run the risk of throttling by the API, and it is slower. You want to use data keys. You use GenerateDataKey to create it, both the plaintext version of the key, and an version encrypted by KMS. You use the plaintext version to do encryption and decryption on your data, and you use the KMS-encrypted version to store it (outside KMS). So in your Lambda, on container start you retrieve the encrypted data key, use KMS.Decrypt to decrypt it, and then use it during the calls.

Thanks Ryan, that's a very clear and concise explanation.