AWS Lambda
Developer Guide

Create a Lambda Function Using Environment Variables To Store Sensitive Information

Along with specifying configuration settings for your Lambda function, you can also use environment variables to store sensitive information, such as a database password, using AWS Key Management Service and the Lambda console's encryption helpers. For more information, see Environment Variable Encryption. The following example shows you how to do this and also how to use KMS to decrypt that information.

This tutorial will demonstrate how you can use the Lambda console to encrypt an environment variable containing sensitive information and provides sample code for decrypting that information to use in your Lambda function.

Step 1: Create the Lambda Function

  1. Sign in to the AWS Management Console and open the AWS Lambda console at

  2. Choose Create a Lambda function.

  3. In Select blueprint, choose the Blank Function blueprint.

  4. On the Configure triggers page, you can optionally choose a service that automatically triggers your Lambda function by choosing the gray box with ellipses (...) to display a list of available services. For this example, do not configure a trigger and choose Next.

  5. In Configure function, do the following:

    • In Name*, specify your Lambda function name.

    • In Runtime, specify nodejs6.10 or nodejs4.3.

      Note that in Lambda function code section you can take advantage of the Edit code inline option to do the following:

      • Replace the Lambda function handler code with your custom code.

      • Implement the decryption helper code that Lambda provides, which you will learn about later in this exercise.

    • Check the Enable encryption helpers checkbox.

    • If you already have a KMS key associated with your user account, the Encryption key field will be auto-populated with that key. If you haven't created a KMS key for your account, you will be provided a link to the AWS IAM console to create one. The account must have encrypt and decrypt permissions for that key.


      You cannot use the default Lambda service key for encrypting sensitive information on the client side.

    • In Environment variables, enter your key-value pair. If the value you provided is sensitive, choose the Encrypt button. This masks the value you entered and results in a call to AWS KMS to encrypt the value and return it as Ciphertext. Note that the Encrypt button toggles to Decrypt after you choose it. This affords you the option to update the information. Once you have done that, choose the Encrypt button.

      The Code button provides sample decrypt code specific to the runtime of your Lambda function that you can use with your application.

    • In Role*, choose Choose an existing role.

    • In Existing role*, choose lambda_basic_execution.


      If the policy of the execution role does not have the decrypt permission, you will need add it.

  6. In Review, review the configuration and then choose Create Function.