With AWS Key Management Service and Lambda console encryption Helper, you can not only specify the configuration settings for your Lambda function, you can also use environment variables to store sensitive information database password. For more information, see the encryption environment variable . The following example will show you how this is done, and how to use KMS decrypt sensitive information.
This tutorial demonstrates how to encrypt sensitive information environment variables using the Lambda console.
Environment Variables encryption
When you create or update the environment variables Lambda functions, AWS Lambda will use the AWS Key Management Service to encrypt. When the system calls your Lambda functions, these values have been encrypted and are available Lambda code uses.
When you first create or update the environment variables Lambda functions in a certain area, the system will automatically create a default service key AWS KMS in for you. This key is used to encrypt the environment variable. However, if you want to use encryption to help program and use KMS encrypted environment variable after creating Lambda functions, you must create your own AWS KMS key and select it instead of the default key. The default key while selecting will give an error. Create your own key to achieve higher flexibility, allowing you to create, rotation, disable and define access control, auditing and encryption keys used to protect data.