AWS Lambda supports Customer Managed Key (CMK) encryption for Zip function code artifacts

Posted on: Nov 11, 2024

AWS Lambda now supports encryption of Lambda function Zip code artifacts using customer managed keys instead of default AWS owned keys. Using keys that they create, own, and manage can satisfy customer’s organizational security and governance requirements.

AWS Lambda is widely adopted for its simple programming model, built-in event triggers, automatic scaling, and fault tolerance. Previously, Lambda supported customer-managed AWS Key Management Service (AWS KMS) key-based encryption for the configuration data stored inside Lambda, such as function environment variables and SnapStart-enabled function snapshots. With today’s launch, customers can provide their own key to encrypt function code in Zip artifacts, making it easy to audit or control access to the code deployed in the Lambda function.

Customers can encrypt new or existing function Zip code artifacts by supplying a KMS key when creating or updating a function using AWS Lambda API, AWS Management Console, AWS Command Line Interface (AWS CLI), AWS SDK, AWS CloudFormation, or AWS Serverless Application Model (AWS SAM). When the KMS key is disabled, Lambda service and any users using GetFunction API to fetch deployment package will no longer have access to the Zip artifacts deployed with the Lambda function, thus, providing a convenient revocation control to the customers. If no key is provided, Lambda still secures the Zip code artifacts with AWS-managed encryption.

This feature is available in all AWS Regions where Lambda is available, except the China Regions. To learn more, visit documentation.