cross account call to aws lambda GetFunction giving KMSAccessDenied error for environment variables

1
votes

I am trying to do GetFunction/InvokeFunction action on an AWS Lambda function(Account A) from and ec2 instance running in another Account(Account B).

On adding Lambda Permission in Account A to allow access to account B, I am able to perform both actions GetFunction and InvokeFunction.

But GetFunction is returning KMSAccessDeniedException for environment variables of Lambda Function. I have not encrypted environment variables for lambda function. Performing same action from an EC2 within the account, I am getting proper value for environment variables. Do i need to add additional permission for KMS ?

1
amazon-web-servicesamazon-ec2aws-lambdaamazon-kms

1 Answers

1
votes

AWS by default encrypt environment variables of AWS Lambda function to keep data safe. If we don't provide an encryption key at lambda creation time, AWS uses a default encryption key "aws/lambda", access policy for which can't be modified.

So when I tried to call lambda function with environment variables I got this Exception. As other accounts don't have permission to access this key.

Solution: Create a new key, pass it on during AWS lambda function creation to be used for encrypting environment variable data at rest. Attach key policy to this new key to allow access from third account