Use AWS KMS Customer Master Keys for Lambda Environment Variables Encryption

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: Lambda-009

Ensure that your Amazon Lambda environment variables are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption/decryption process. The environment variables defined for your AWS Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code. By default, all Lambda environment variables with the key (name) set to "pass", "password", "*token*" (i.e. any key that has "token" string in it), "api", "API", "Key", "KEY", "key" are encrypted. You can also set your own environment variables names within the rule settings on your Cloud Conformity console.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When you utilize your own KMS CMK customer-managed keys to protect the sensitive data that you pass to your AWS Lambda functions, you achieve full control over who can use the CMK keys and access the data encrypted within the environment variables. The AWS KMS service allows you to create, rotate, disable, enable, and audit your Customer Master Keys (CMKs) for Lambda environment variables.


Audit

To determine if Amazon KMS CMK customer-managed keys are used to encrypt your Lambda environment variables as opposed to default keys, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access the configuration page.

05 Scroll down to Environment variables and click Edit to open the panel with the Edit environment variables.

06 Make sure that the Enable encryption helpers setting is enabled (otherwise see this rule to enable encryption), then check the encryption key name set for the Encryption key attribute. If the encryption key name is "aws/lambda", the environment variables defined for the selected AWS Lambda function are encrypted using the default master key (AWS-managed key) instead of a KMS CMK customer-managed key.

07 Repeat steps no. 4 - 6 to check the encryption key type for other Lambda functions available in the current AWS region.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available within the selected region:

aws lambda list-functions
  --region us-east-1
  --query 'Functions[*].FunctionName'

02 The command output should return an array with the requested function names:

[
  "FetchS3ObjectMetadata",
  "ProcessUserMetadata"
]

03 Run get-function command (OSX/Linux/UNIX) using the Lambda function name returned at the previous step and custom query filters to describe the environment variables defined for the selected Amazon Lambda function:

aws lambda get-function
  --region us-east-1
  --function-name FetchS3ObjectMetadata
  --query 'Configuration.KMSKeyArn'

04 The command output should return the requested KMS key ARN if a CMK customer-managed key is currently used, otherwise the output should be one of the following:

  1. If the get-function command output returns "null", there is no key used to encrypt environment variables assigned to the selected Lambda function, therefore the encryption is not enabled (see this rule to enable encryption).
  2. If the command output returns an empty string, i.e. "" as the alias (name) of the KMS CMK key in use, the environment variables defined for the selected AWS Lambda function are encrypted using the default master key (AWS-managed key) instead of a KMS CMK customer-managed key.

05 Repeat step no. 3 and 4 to verify the encryption key type for other AWS Lambda functions provisioned within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To use your own Amazon KMS CMK customer-managed keys to encrypt the environment variables that pass sensitive information to your AWS Lambda functions, perform the following commands:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel click Customer managed keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your Lambda function is provisioned).

05 Click Create Key button from the dashboard top menu.

06 Under the Configure key section, select the Key tpye, then click the Next Step button.

07 Under the Add labels section, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

08 Under Define key administrative permissions section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

09 Under Define key usage permissions section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt environment variables data with the AWS KMS API.

10 (Optional) Under Other AWS Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the Lambda environment variables sensitive data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

11 Click Next Step to continue.

12 Under Review and edit key policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: ".

13 Now that the necessary KMS CMK customer-managed key has been provisioned, navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

14 In the navigation panel, under AWS Lambda, choose Functions.

15 Choose the Lambda function that you want to reconfigure (see Audit section part I to identify the right Lambda resource), then click on the function name.

16 Scroll down to Environment variables and click Edit to open the panel with the Edit environment variables.

17 Select the name of the newly created KMS CMK customer-managed key from the Encryption key dropdown list to apply your own CMK key. Runtime

18 Choose the environment variable that holds sensitive data then click the Encrypt button next to the variable value. Repeat the step to encrypt other environment variables that pass sensitive data to the selected Lambda function using the new KMS CMK customer-managed key.

19 Click the Save button from the dashboard top menu to apply the changes.

20 Repeat steps no. 13 – 19 to encrypt environment variables for other AWS Lambda functions available within the current region, using your own KMS CMK customer-managed key.

21 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Before creating your KMS CMK key, you must define a policy that enables your selected IAM users and/or roles to administer the new KMS customer-managed key and to encrypt/decrypt Lambda environment variables data using the AWS KMS API. Create a new policy document called lambda-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "lambda-env-var-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK key manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonLambdaManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/LambdaAdministrator"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/LambdaAdministrator"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. lambda-kms-cmk-policy.json) as required command parameter to create the new KMS CMK customer-managed key:

aws kms create-key
  --region us-east-1
  --description 'KMS CMK key for encrypting Lambda environment variables'
  --policy file://lambda-kms-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the CMK unique ID (KeyID parameter value - highlighted) as this ID will be required later when you need to specify the CMK key required for environment variables encryption:

{
  "KeyMetadata": {
      "Origin": "AWS_KMS",
      "KeyId": "4b5y029b-g12c-6dad-8e23-e8040c125d87",
      "Description": "KMS CMK key for encrypting Lambda environment variables",
      "Enabled": true,
      "KeyUsage": "ENCRYPT_DECRYPT",
      "KeyState": "Enabled",
      "CreationDate": 1500390513.314,
      "Arn": "arn:aws:kms:us-east-1:123456789012:key/62g32c20-e4cb-4ad2-931e-58a1a36a39f8",
      "AWSAccountId": "123456789012"
  }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias (identifier/name) to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias --region us-east-1
  --alias-name alias/LambdaManagedCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/62g32c20-e4cb-4ad2-931e-58a1a36a39f8

05 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Lambda function that you want to reconfigure (see Audit section part II to identify the right Lambda resource) to apply the newly created AWS KMS CMK key to the selected function configuration:

aws lambda update-function-configuration
  --region us-east-1
  --function-name FetchS3ObjectMetadata
  --kms-key-arn arn:aws:kms:us-east-1:123456789012:key/62g32c20-e4cb-4ad2-931e-58a1a36a39f8

06 The command output should return the configuration details (metadata) for the reconfigured AWS Lambda function:

{
  "FunctionName": "FetchS3ObjectMetadata",
  "LastModified": "2017-07-18T15:16:33.100+0000",
  "MemorySize": 128,
  "Version": "$LATEST",
  "Role": "arn:aws:iam::123456789012:role/service-role/LambdaS3Role",
  "Timeout": 5,
  "Runtime": "nodejs6.10",

  ...

  "TracingConfig": {
      "Mode": "PassThrough"
  },
  "KMSKeyArn": "arn:aws:kms:us-east-1:123456789012:key/62g32c20-e4cb-4ad2-931e-58a1a36a39f8",
  "CodeSize": 615,
  "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:FetchS3ObjectMetadata",
  "Handler": "index.handler"
}

07 Enabling encryption with KMS CMKs for specific Amazon Lambda environment variables using the AWS API via Command Line Interface (CLI) is not currently supported. To encrypt the necessary environment variables, sign in to the AWS Management Console and execute steps no. 17 – 19 from Remediation/Resolution section, part I.

08 Repeat steps no. 5 – 7 to encrypt environment variables for other AWS Lambda functions available within the current region, using your own KMS CMK customer-managed key.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the process for other regions.

References

Publication date Dec 14, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Use AWS KMS Customer Master Keys for Lambda Environment Variables Encryption

Risk level: High