11

I am working on an AWS CloudFormation template that includes a Lambda function with sensitive environment variables. I'd like to set up a KMS key and encrypt them with it, which is easy to do in the console but proving very difficult to do in CloudFormation.

Can anyone please post a basic CloudFormation JSON object for a Lambda with at least one environment variable that is encrypted using a KMS key, as well as the JSON for creating that key?

Improve this question

1 Answer 1

Reset to default
4

It looks like there's a feature request up for it currently, in AWS' serverless-application-model project: https://github.com/awslabs/serverless-application-model/issues/48

However, at the moment there is no way to encrypt individual environment variables via CloudFormation. As for setting up the KMS key itself with CloudFormation, see the following: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

After creating the KMS Key resource, you can use it in your Lambda Function by specifying a KmsKeyArn property in your Function's properties.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It looks like there's still no way to encrypt variables which makes CloudFormation useless for lots of cases
It's late 2023 - you can use the above answer to encrypt all the variables via KMS, but not specific ones. You also still have to populate those variables from somewhere in your template, and Parameters don't support retrieving the value of an SSM SecureString or a Secrets Manager Secret. So getting the secret in to your stack is still a problem.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.