My AWS Lambda function needs to be populated with env vars that contain sensitive values, like a master db password.
The new env vars feature of Lambda makes this super-simple. But it's a little fuzzy as to what the best practice is, or how to go about achieving it.
In the Lambda FAQ, they state the following:
Q: Can I store sensitive information in environment variables? For sensitive information, such as database passwords, we recommend you use client-side encryption using AWS Key Management Service and store the resulting values as
cipher textin your environment variable. You will need to include logic in your AWS Lambda function code to decrypt these values.
So they're basically saying that you need to encrypt the values yourself, then input the encrypted value into your Lambda function env vars. Then you need to include logic in your function that will decrypt the value upon instantiation. In pseudo-code, it would look like so:
On Your Laptop
/// Encrypt your password
var myDbPassword = '122345';
var encryptedDbPassword = aws.kms.encrypt(myDbPassword, 'my-lambda-env-key');
/// Store it 'on' your Lambda function
aws.lambda.env.save('DB_PASS', encryptedDbPassword);
In Your Lambda Function
And then in your function, you would have logic to decrypt it upon instantiation:
var myDbPassword = aws.kms.decrypt(process.env.DB_PASS, 'my-lambda-env-key');
db.connect('someURL', myDbPassword);
Simple enough, but any values you input are already encrypted when you input them, and they allow you to choose which KMS key you want to use to encrypt the values, and you can create your own KMS key and use that instead of the "default" key.
So, what's the point of encrypting the values before input? If you can tell Lambda to use your my-lambda-env-key key for the encryption isn't that the same as using the my-lambda-env-key key to encrypt the values on your laptop before sending them to Lambda?
