Ensure that your Amazon Lambda environment variables are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption/decryption process. The environment variables defined for your AWS Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code. By default, all Lambda environment variables with the key (name) set to "pass", "password", "*token*" (i.e. any key that has "token" string in it), "api", "API", "Key", "KEY", "key" are encrypted. You can also set your own environment variables names within the rule settings on your Cloud Conformity console.
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you utilize your own KMS CMK customer-managed keys to protect the sensitive data that you pass to your AWS Lambda functions, you achieve full control over who can use the CMK keys and access the data encrypted within the environment variables. The AWS KMS service allows you to create, rotate, disable, enable, and audit your Customer Master Keys (CMKs) for Lambda environment variables.
To determine if Amazon KMS CMK customer-managed keys are used to encrypt your Lambda environment variables as opposed to default keys, perform the following:
Remediation / Resolution
To use your own Amazon KMS CMK customer-managed keys to encrypt the environment variables that pass sensitive information to your AWS Lambda functions, perform the following commands:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Use AWS KMS Customer Master Keys for Lambda Environment Variables Encryption
Risk level: High