Encryption best practices for AWS Lambda

AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. For securing your environment variables, you can use server-side encryption to protect your data at rest and client-side encryption to protect your data in transit.

Consider the following encryption best practices for this service:

Lambda always provides server-side encryption at rest with an AWS KMS key. By default, Lambda uses an AWS managed key. We recommend you use a customer managed key because you have full control over the key, including management, rotation, and auditing.
For data in transit that requires encryption, enable helpers, which ensures that environment variables are encrypted client-side for protection in transit by using the preferred KMS key. For more information, see Security in transit in Securing environment variables.
Lambda function environment variables that hold sensitive or critical data should be encrypted in transit to help protect the data that is dynamically passed to the functions (usually access information) from unauthorized access.
To prevent a user from viewing environment variables, add a statement to the user's permissions in the IAM policy or to the key policy that denies access to the default key, a customer managed key, or all keys. For more information, see Using AWS Lambda environment variables.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS KMS

Amazon RDS