DVA-C02 Study Guide: Encrypting Sensitive Environment Variables
Encrypt environment variables that contain sensitive data
Encrypting Environment Variables for Sensitive Data
In the AWS ecosystem, securing sensitive information like database credentials, API keys, and PII is a critical requirement. This guide focuses on the methods used to protect environment variables from exposure in the AWS Console, logs, and transit.
Learning Objectives
By the end of this guide, you should be able to:
- Identify which types of data require encryption (PII, PHI, Secrets).
- Configure AWS Lambda environment variables with encryption helpers.
- Explain the difference between default encryption and KMS-based encryption for variables.
- Implement server-side and client-side decryption patterns using the AWS SDK.
Key Terms & Glossary
- Environment Variable: A dynamic-named value that can affect the way running processes will behave on a computer.
- KMS (Key Management Service): A managed service that makes it easy for you to create and control the cryptographic keys used to protect your data.
- CMK (Customer Master Key): The primary resource in KMS, used to generate, encrypt, and decrypt data keys.
- Ciphertext: The encrypted, unreadable format of data produced after an encryption algorithm is applied.
- PII (Personally Identifiable Information): Information that can be used on its own or with other information to identify, contact, or locate a single person.
The "Big Idea"
Security in the cloud follows a defense-in-depth strategy. While environment variables are convenient for application configuration, storing them in plaintext creates a security vulnerability. If an IAM user has GetFunction permissions, they could see these secrets. By encrypting them at rest with AWS KMS, you ensure that even if the configuration is accessed, the data remains unreadable without specific KMS Decrypt permissions.
Formula / Concept Box
| Feature | Default Lambda Encryption | Encryption Helpers (KMS) |
|---|---|---|
| At Rest | Encrypted by AWS-managed key | Encrypted by Customer-managed key (CMK) |
| In Transit | Encrypted via HTTPS | Encrypted via HTTPS |
| Visibility | Visible in plaintext in the AWS Console | Visible as Ciphertext in the AWS Console |
| Cost | Included in Lambda pricing | Subject to KMS API and Key costs |
Hierarchical Outline
- I. Why Encrypt?
- Prevention of credential leakage in logs or console.
- Compliance requirements for PII/PHI data.
- II. AWS Lambda Encryption Options
- Standard Encryption: Automated encryption by Lambda using an AWS-managed key (doesn't hide values in console).
- Encryption Helpers: Uses KMS to encrypt values before they are stored in the environment (hides values in console).
- III. The Decryption Workflow
- Client-side Decryption: The application code uses the AWS SDK to call the
KMS:DecryptAPI at runtime. - In-memory Storage: Plaintext is kept in memory only, never written to disk.
- Client-side Decryption: The application code uses the AWS SDK to call the
- IV. Alternatives
- AWS Secrets Manager: Best for secrets that require rotation (e.g., RDS passwords).
- Systems Manager Parameter Store: Cost-effective for configuration and SecureString values.
Visual Anchors
The Encryption Workflow
Architectural Context
\begin{tikzpicture}[node distance=2cm] \draw[thick, fill=blue!10] (0,0) rectangle (3,2) node[pos=.5] {Lambda Function}; \draw[thick, fill=green!10] (5,0) rectangle (8,2) node[pos=.5] {AWS KMS}; \draw[->, thick] (3,1) -- (5,1) node[midway, above] {Decrypt(Ciphertext)}; \draw[<-, thick] (3,0.5) -- (5,0.5) node[midway, below] {Plaintext Secret}; \draw[dashed] (-1,-1) rectangle (4,3) node[below right] {VPC / Execution Env}; \end{tikzpicture}
Definition-Example Pairs
- Symmetric Encryption: Using the same key for both encryption and decryption.
- Example: Using an AWS KMS CMK to encrypt an API key so that only the Lambda function with the key's ARN can decrypt it.
- Envelope Encryption: Encrypting data with a data key, then encrypting the data key with another key (the CMK).
- Example: When encrypting a large environment variable file, KMS generates a data key to encrypt the file, and then KMS encrypts that data key.
Worked Examples
Step-by-Step: Encrypting a Variable in Lambda
- Creation: Open the Lambda Console and go to Configuration > Environment Variables.
- Encryption Helpers: Check "Enable helpers for encryption in transit".
- KMS Key Selection: Select a Customer Master Key (CMK) from your account.
- Encrypt: Click the "Encrypt" button next to your sensitive value (e.g.,
DB_PASSWORD). The value changes to a long base64 string (Ciphertext). - Code Implementation: Add the decryption snippet provided by the console to your function code:
import boto3
import os
from base64 import b64decode
ENCRYPTED = os.environ['DB_PASSWORD']
# Decrypt code should be outside the handler for performance (execution context reuse)
DECRYPTED = boto3.client('kms').decrypt(
CiphertextBlob=b64decode(ENCRYPTED),
EncryptionContext={'LambdaFunctionName': os.environ['AWS_LAMBDA_FUNCTION_NAME']}
)['Plaintext'].decode('utf-8')
def lambda_handler(event, context):
print(f"Using password: {DECRYPTED}") # Use in memoryCheckpoint Questions
- What permission must the Lambda Execution Role have to successfully use encrypted environment variables?
- Answer:
kms:Decryptfor the specific CMK used.
- Answer:
- Does the standard encryption (default) hide environment variable values in the AWS Lambda Console?
- Answer: No, standard encryption only protects the data at rest on AWS hardware, but it is visible in plaintext in the console UI.
- Why is it better to decrypt the environment variable outside the
lambda_handlerfunction?- Answer: To take advantage of Execution Context reuse; the decryption call happens once during the "Init" phase rather than on every single invocation, saving time and cost.
- Which service is preferred if you need to rotate a database password every 30 days?
- Answer: AWS Secrets Manager, as it has built-in rotation integration with RDS and other services.