2
votes

In the AWS Console under "Encryption configuration", I noticed I can't encrypt my environment variables using the default Lambda KMS.

Am I missing something? Or do I have to create my own key to enable encryption at rest?

1

1 Answers

2
votes

Yes, you need to use your own key to use the KMS helpers if you want to encrypt things after the function is created. Here are the relevant docs:

The first time you create or update Lambda functions that use environment variables in a region, a default service key is created for you automatically within AWS KMS. This key is used to encrypt environment variables. However, should you wish to use encryption helpers and use KMS to encrypt environment variables after your Lambda function is created, then you must create your own AWS KMS key and choose it instead of the default key. The default key will give errors when chosen.