How do I hide my Lambda function's environment variables and unencrypted text from an IAM user?

Last updated: 2021-07-07

I want to prevent AWS Identity and Access Management (IAM) users with access to my AWS Lambda function from seeing environment variables and unencrypted text. How do I do that?

Resolution

Note: The following solution prevents IAM identities from seeing a Lambda function's environment variables only in the Lambda console and the Lambda API. It doesn't prevent IAM identities from accessing decrypted environment variables using the function's code, or from outputting the environment variable values to Amazon CloudWatch Logs.

To prevent IAM identities from accessing passwords, keys, or other sensitive information in your Lambda environment variables, do the following:

Use an AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt the environment variables. To set up a CMK, follow the instructions in Securing environment variables.

Important: Make sure that you edit the key policy for the CMK so that the policy denies access to the IAM identities that don't need access.

CMK key policy example that denies specific IAM users permission to see Lambda environment variables

Note: Replace arn:aws:iam::1234567890:User1DeniedAccess and arn:aws:iam::1234567890:User2DeniedAccess with the Amazon Resource Names (ARNs) of IAM identities that you want to deny access. You can add more IAM ARNs to the key policy as needed.

{
    "Id": "MyCustomKey",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Deny IAM users permission to see Lambda environment variables",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:User1DeniedAccess",
                    "arn:aws:iam::1234567890:User2DeniedAccess"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

Error message example that the denied IAM user sees if they try to view the function's environment variables

"Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."

Did this article help?


Do you need billing or technical support?