How do I hide my Lambda function's environment variables and unencrypted text from an IAM user?

2 minute read

I want to prevent AWS Identity and Access Management (IAM) users with access to my AWS Lambda function from seeing environment variables and unencrypted text. How do I do that?

Resolution

Note: The following solution prevents IAM identities from seeing a Lambda function's environment variables only in the Lambda console and the Lambda API. It doesn't prevent IAM identities from accessing decrypted environment variables using the function's code, or from outputting the environment variable values to Amazon CloudWatch Logs.

To prevent IAM identities from accessing passwords, keys, or other sensitive information in your Lambda environment variables, do the following:

Use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the environment variables. To set up a KMS key, follow the instructions in Securing environment variables.

Important: Make sure that you edit the key policy for the KMS key so that the policy denies access to the IAM identities that don't need access.

KMS key policy example that denies specific IAM users permission to see Lambda environment variables

Note: Replace arn:aws:iam::1234567890:User1DeniedAccess and arn:aws:iam::1234567890:User2DeniedAccess with the Amazon Resource Names (ARNs) of IAM identities that you want to deny access. You can add more IAM ARNs to the key policy as needed.

{
    "Id": "MyCustomKey",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Deny IAM users permission to see Lambda environment variables",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:User1DeniedAccess",
                    "arn:aws:iam::1234567890:User2DeniedAccess"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

You receive an error message that the denied IAM user sees if they try to view the function's environment variables similar to the following:

"Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException"

Related information

Creating keys

AWS Lambda permissions

Topics

Serverless Compute

Relevant content

IAM Identity Center user variable
GSC
asked a month ago
How to export environment variables from a Lambda function.
AWS-User-8658882
asked 2 years ago
How to hide IAM users under a root user seeing each other, specially the IAM user who created another IAM user under it
rePost-User-3492165
asked a year ago
How to hide code in AWS Lambda function?
ahmad
asked 4 months ago
Injecting Sensitive data as Environment Variables to Lambda Functions
GVasquez
asked 2 years ago
How do I prevent an IAM user or role from setting up Amazon SageMaker Canvas?
AWS OFFICIALUpdated a year ago
How do I increase my Lambda environment variable size quota?
AWS OFFICIALUpdated 3 years ago
How do I use IAM policy variables with federated users?
AWS OFFICIALUpdated 4 months ago
How can I prevent my Lambda function connected to an Amazon VPC from timing out?
AWS OFFICIALUpdated a year ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago