Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)

Lambda Function's environment variables are encrypted by default using the AWS default keys. Use Customer Master Keys to add another layer of control to the encryption.

Risk Level: Low
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.CRY.68
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

Lambda where not environmentVariables isEmpty() should have kmsKeyArn

REMEDIATION

From Portal

  1. Go to 'Lambda' dashboard
  2. In the left menu, select 'Functions'
  3. Select the relevant Lambda Function
  4. Under 'Configurations', go to 'Environment variables' and press 'Edit'
  5. Under 'Encryption configuration', set 'AWS KMS key to encrypt at rest' to 'Use a customer master key'
  6. Configure your 'Customer master key' and save

From TF
To update a Lambda Function with a key for environment variables encryption, add the 'kms_key_arn' to the 'aws_lambda_function block:

resource "aws_lambda_function" "lambda_function_example" {
	..
	kms_key_arn = KEY-ARN
	..
}

From Command Line
To update a Lambda Function with a key for environment variables encryption, use:

aws lambda update-function-configuration --function-name FUNCTION-NAME --kms-key-arn KEY-ARN

References

  1. https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#kms_key_arn
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset