2.3.2 Encrypt Environment Variables
Encrypt Environment Variables
Lambda Environment Variables
| Encryption Level | Mô tả |
|---|
| Default (at rest) | AWS managed key, tự động |
| KMS CMK (at rest) | Customer managed key, audit trail |
| Encryption Helpers | Encrypt values trước khi store, decrypt trong code |
Default Encryption
- Lambda tự động encrypt env vars at rest bằng AWS managed key
- Decrypt tự động khi function chạy
- Không cần code thêm
Encryption Helpers (Client-side)
import boto3
import os
from base64 import b64decode
# Environment variable đã được encrypt bằng KMS trước khi set
ENCRYPTED_DB_PASSWORD = os.environ['DB_PASSWORD']
# Decrypt trong code
kms = boto3.client('kms')
decrypted = kms.decrypt(
CiphertextBlob=b64decode(ENCRYPTED_DB_PASSWORD),
EncryptionContext={'LambdaFunctionName': os.environ['AWS_LAMBDA_FUNCTION_NAME']}
)['Plaintext'].decode('utf-8')
- Encrypt value trước khi set vào env var (via Console hoặc CLI)
- Decrypt trong function code bằng KMS Decrypt API
- Encryption context cho thêm security layer
So sánh Approaches
| Approach | Security | Complexity | Audit |
|---|
| Env vars (default encryption) | Basic | Low | ❌ |
| Env vars + KMS CMK | Better | Medium | ✅ |
| Env vars + Encryption Helpers | Best (env var level) | High | ✅ |
| Secrets Manager | Best | Low | ✅ |
| SSM Parameter Store (SecureString) | Good | Low | ✅ |
Best Practice Recommendation
Simple config (non-secret) → Environment Variables
Secrets (DB passwords, API keys) → Secrets Manager hoặc SSM SecureString
Feature flags → AppConfig
- Env vars visible trong Lambda Console → không lý tưởng cho secrets
- Secrets Manager/SSM: Centralized, rotation, cross-function sharing
Exam Tip: Default encryption = AWS managed key (automatic). Encryption Helpers = encrypt trước, decrypt trong code. Best practice = dùng Secrets Manager/SSM cho secrets thay vì env vars.