How do I hide my Lambda environment variables from an IAM user?

Last updated: 2020-02-20

I want to prevent AWS Identity and Access Management (IAM) users with access to my AWS Lambda function from seeing environment variables and unencrypted text. How do I do that?

Resolution

Note: This solution prevents IAM identities from seeing a Lambda function's environment variables only when using the Lambda console or the Lambda API. The solution doesn't prevent these IAM identities from accessing decrypted environment variables using the function's code, or from outputting the environment variable values to Amazon CloudWatch Logs.

To prevent IAM identities from accessing passwords, keys, or other sensitive information in your Lambda environment variables, use an AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt the environment variables. For more information, see Securing Environment Variables.

Edit the key policy for the CMK to deny access to the IAM identities that don't need access. You can use the following key policy as an example.

Note: Replace arn:aws:iam::1234567890:User1DeniedAccess and arn:aws:iam::1234567890:User2DeniedAccess with the Amazon Resource Names (ARNs) of IAM identities that you want to deny access. Add more IAM ARNs to the key policy according to your needs.

{
    "Id": "MyCustomKey",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Deny IAM users permission to see Lambda environment variables",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:User1DeniedAccess",
                    "arn:aws:iam::1234567890:User2DeniedAccess"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

When IAM identities that are denied access try to view your Lambda function's environment variables in the Lambda console, the following error appears:

"Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."

Did this article help you?

Anything we could improve?


Need more help?