AWS-Lambda-env-variable-encrypted-at-rest-uses-CMK

Severity: High

Description: This control ensures that environment variables are encrypted with a Customer Master Key at rest. Lambda environment variables can contain sensitive information such as database connection info and should be protected when stored.

Remediation Steps:

Perform following to enable environment variable encryption for lambda :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to AWS Lambda console.

3. In the navigation pane,  select Functions.

4. Select the function to be modified.

5. Navigate to Environment Variables.

6. Under AWS KMS key to encrypt at rest, choose Use a customer master key.

7. Select the KMS key of choice.

8. Click Save changes to apply.

Important:

Additional charges may apply when using AWS KMS CMK.

Reference:

• Create Lambda environment variables - AWS Lambda