How do I hide my Lambda function's environment variables and unencrypted text from an IAM user?

Last updated: 2021-07-07

I want to prevent AWS Identity and Access Management (IAM) users with access to my AWS Lambda function from seeing environment variables and unencrypted text. How do I do that?

Resolution

Note: The following solution prevents IAM identities from seeing a Lambda function's environment variables only in the Lambda console and the Lambda API. It doesn't prevent IAM identities from accessing decrypted environment variables using the function's code, or from outputting the environment variable values to Amazon CloudWatch Logs.

To prevent IAM identities from accessing passwords, keys, or other sensitive information in your Lambda environment variables, do the following:

Use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the environment variables. To set up a KMS key, follow the instructions in Securing environment variables.

Important: Make sure that you edit the key policy for the KMS key so that the policy denies access to the IAM identities that don't need access.

KMS key policy example that denies specific IAM users permission to see Lambda environment variables

Note: Replace arn:aws:iam::1234567890:User1DeniedAccess and arn:aws:iam::1234567890:User2DeniedAccess with the Amazon Resource Names (ARNs) of IAM identities that you want to deny access. You can add more IAM ARNs to the key policy as needed.

{
    "Id": "MyCustomKey",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Deny IAM users permission to see Lambda environment variables",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:User1DeniedAccess",
                    "arn:aws:iam::1234567890:User2DeniedAccess"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

You receive an error message that the denied IAM user sees if they try to view the function's environment variables similar to the following:

"Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException"

Did this article help?


Do you need billing or technical support?