Lambda always provides server-side encryption at rest for .zip deployment packages and function configuration details with an AWS KMS key. By default, Lambda uses an AWS owned key. If this default behavior suits your workflow, you don't need to set up anything else. AWS doesn't charge you to use this key.
If you prefer, you can provide an AWS KMS customer managed key instead. You might do this to have control over rotation of the KMS key or to meet the requirements of your organization for managing KMS keys. When you use a customer managed key, only users in your account with access to the KMS key can view or manage the function's code or configuration.
Customer managed keys incur standard AWS KMS charges. For more information, see AWS Key Management Service pricing
Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs.
To create a symmetric customer managed key
Follow the steps for Creating symmetric encryption Creating symmetric KMS keys in the AWS Key Management Service Developer Guide.
Permissions
Key policy
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. For more information, see How to change a key policy in the AWS Key Management Service Developer Guide.
When you use a customer managed key to encrypt a .zip deployment package, Lambda doesn't add a grant to the key. Instead, your AWS KMS key policy must allow Lambda to call the following AWS KMS API operations on your behalf:
The following example key policy allows all Lambda functions in account 111122223333 to call the required AWS KMS operations for the specified customer managed key:
Example AWS KMS key policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id
",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:lambda:FunctionArn": "arn:aws:lambda:us-east-1:111122223333:function:*
"
}
}
}
]
}
For more information about troubleshooting key access, see the AWS Key Management Service Developer Guide.
Principal permissions
When you use a customer managed key to encrypt a .zip deployment package, only principals with access to that key can access the .zip deployment package. For example, principals who don't have access to the customer managed key can't download the .zip package using the presigned S3 URL that's included in the GetFunction response. An AccessDeniedException
is returned in the Code
section of the response.
Example AWS KMS AccessDeniedException
{
"Code": {
"RepositoryType": "S3",
"Error": {
"ErrorCode": "AccessDeniedException",
"Message": "KMS access is denied. Check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: User: arn:aws:sts::111122223333:assumed-role/LambdaTestRole/session is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:111122223333:key/key-id with an explicit deny in a resource-based policy"
},
"SourceKMSKeyArn": "arn:aws:kms:us-east-1:111122223333:key/key-id"
},
...
For more information about permissions for AWS KMS keys, see Authentication and access control for AWS KMS.
Using a customer managed key for your .zip deployment package
Use the following API parameters to configure customer managed keys for .zip deployment packages:
-
SourceKMSKeyArn: Encrypts the source .zip deployment package (the file that you upload).
-
KMSKeyArn: Encrypts environment variables and Lambda SnapStart snapshots.
When SourceKMSKeyArn
and KMSKeyArn
are both specified, Lambda uses the KMSKeyArn
key to encrypt the unzipped version of the package that Lambda uses to invoke the function. When SourceKMSKeyArn
is specified but KMSKeyArn
is not, Lambda uses an AWS managed key to encrypt the unzipped version of the package.
To add customer managed key encryption when you create a function
Open the Functions page
of the Lambda console. -
Choose Create function.
-
Choose Author from scratch or Container image.
-
Under Basic information, do the following:
-
For Function name, enter the function name.
-
For Runtime, choose the language version to use for your function.
-
-
Expand Advanced settings, and then select Enable encryption with an AWS KMS customer managed key.
-
Choose a customer managed key.
-
Choose Create function.
To remove customer managed key encryption, or to use a different key, you must upload the .zip deployment package again.
To add customer managed key encryption to an existing function
Open the Functions page
of the Lambda console. -
Choose the name of a function.
-
In the Code source pane, choose Upload from.
-
Choose .zip file or Amazon S3 location.
-
Upload the file or enter the Amazon S3 location.
-
Choose Enable encryption with an AWS KMS customer managed key.
-
Choose a customer managed key.
-
Choose Save.