Lambda Function Encryption Not using Customer Managed CMK's

Tenacity Id

Risk Level




Last Updated:

April 21, 2022

An AWS Lambda function environment variable(s) is not encrypted with a Customer-Managed Customer Master Key (CMK). Lambda functions use environment variables to store secrets securely and adjust function's behavior without updating the code. AWS customers do not control the key material for AWS-owned CMKs, but have complete control of key material for Customer-Managed CMKs. When Customer-Managed CMK is provided only users in the account with access to the key can view or manage environment variables of the function. Lambda function environment variables should be encrypted with Customer-Managed CMKs.