Ensure Lambda environment variables are encrypted using customer-managed Customer Master Keys (CMKs)

Security & Compliance

AWS Lambda environment variables are used to store sensitive information like API keys, passwords, and other secrets. It is essential to ensure that these environment variables are encrypted to protect them from unauthorized access. The AWS Key Management Service (KMS) can be used to encrypt Lambda environment variables using customer-managed Customer Master Keys (CMKs).


To ensure that Lambda environment variables are encrypted using customer-managed CMKs, you can follow these remediation steps:

  1. Create a customer-managed CMK in KMS. If you already have a CMK, ensure that it is enabled for use in Lambda.
  2. Assign the necessary permissions to the CMK so that the Lambda function can use it. This includes permissions to encrypt and decrypt data using the CMK.
  3. Enable encryption for your Lambda environment variables using the customer-managed CMK.
  4. Update the Lambda function code to use the encrypted environment variables.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.