Hide environment variables from AWS Lambda Console

1
votes

I have some lambda functions which uses some environment variables. I understand that we can use AWS KMS to encrypt them and then from AWS console they will not be visible.

In my case using KMS is not possible so I was wondering if there is some other way, probably by restricting at IAM level so that a user should not see env variables.

I have already tried removing GetFunction and GetFunctionConfiguration from policy. It works but the problem is, user is not able to see other things because now GetFunctionConfiguration is not allowed.

Is there any fine grain permission setting which can only hide env variables from the AWS Lambda console?

Thanks in advance.

3
amazon-web-servicesaws-lambdapermissionsenvironment-variablesamazon-iam
Change the environment variables so that instead of values, they are keys into Parameter Store or Secrets Manager. Then give the Lambda function's IAM role permission to read the underlying secrets, while not giving it to your users so they cannot retrieve the secrets.jarmod

3 Answers

4
votes

At the Lambda level, I'm afraid there is no way to implement some sort of RBAC for environment variable visibility within the console.

If you have access to SSM Parameter Store, this will help solve your problem.

By storing the environment variables inside SSM, you can implement IAM based access control on each parameter by the path you place them in. This will give you a centralized location to manage your parameters for your lambdas, and help minimize code changes.

How To Store Your AWS Lambda Secrets - Medium outlines a similar scenario and how to utilize SSM effectively with Lambda.

2
votes

The short answer is no. The solution to this is, as you pointed out, to use KMS to encrypt the variable and then decrypt it in your code.

0
votes

As an updated answer, there is now a way to achieve it:

https://aws.amazon.com/premiumsupport/knowledge-center/lambda-environment-variables-iam-access/

The idea is to use KMS with a Customer Master Key and a policy which deny KMS actions 

{
    "Id": "MyCustomKey",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Deny IAM users permission to see Lambda environment variables",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:User1DeniedAccess",
                    "arn:aws:iam::1234567890:User2DeniedAccess"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

This should prevent your IAM users from seeing env variables.