2

As far as I see on the net, I have to include a piece of code snippet to decrypt the environment variables encrypted with KMS keys but does anyone know the rationale for why this step has to be taken while the lambda function already has access to the key, can decrypt the values on the fly, and pass decrypted values to the underlying execution?

Copied from the code generated on the AWS console to include in my code:

using System;
using System.IO;
using System.Text;
using System.Threading.Tasks;
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;

namespace AWSLambda
{
    public class Function
    {
        private static string Key1Value;
        // Read values once, in the constructor
        public Function()
        {
            // Decrypt code should run once and variables stored outside of the
            // function handler so that these are decrypted once per container
            Key1Value = DecodeEnvVar("ConnString").Result;
        }
        private static async Task<string> DecodeEnvVar(string envVarName)
        {
            // Retrieve env var text
            var encryptedBase64Text = Environment.GetEnvironmentVariable(envVarName);
            // Convert base64-encoded text to bytes
            var encryptedBytes = Convert.FromBase64String(encryptedBase64Text);
            // Construct client
            using (var client = new AmazonKeyManagementServiceClient())
            {
                // Construct request
                var decryptRequest = new DecryptRequest
                {
                    CiphertextBlob = new MemoryStream(encryptedBytes),
                };
                // Call KMS to decrypt data
                var response = await client.DecryptAsync(decryptRequest);
                using (var plaintextStream = response.Plaintext)
                {
                    // Get decrypted bytes
                    var plaintextBytes = plaintextStream.ToArray();
                    // Convert decrypted bytes to ASCII text
                    var plaintext = Encoding.UTF8.GetString(plaintextBytes);
                    return plaintext;
                }
            }
        }
        public void FunctionHandler()
        {
            Console.WriteLine("Encrypted environment variable Key1 = " + Key1Value);
        }
    }
}
Rez.Net
  • 1,354
  • 2
  • 19
  • 28

1 Answers1

0

I guess I found the answer. The encryption key does not stay on the lambda. It is a one off operation to encrypt the values on the console. Refreshed the page and the link to KMS is gone, or login with another user to only see encrypted values on the env var, with no encryption key attached.

Rez.Net
  • 1,354
  • 2
  • 19
  • 28
  • 1
    Indeed. A Lambda function can use an environment variable, but if the variable value is encrypted, it won't decrypt 'itself'. The function needs to do it. KMS is a good way to manage encryption keys. I see many bad implementations of (de)encryption, using the AWS library would ensure that i'ts done properly. Currently it is as well possible to use AWS Secret Manager for sensitive data (it will do the same automatically, no need for "one off operation to encrypt the values"). – gusto2 Aug 16 '19 at 08:53
  • I am passing 5 environmental variables to Lambda, all are encrypted with the same encryption key. However, 4 of them are getting decrypted automatically but one of them is not. I have no idea what's happening. So, I have to decrypt it explicitly using a function. – Rahul Satal Dec 16 '19 at 14:29
  • @RahulSatal Can you please elaborate how your lambda decrypts env vars automatically? – Rez.Net Dec 16 '19 at 23:02
  • Check `Storing Sensitive Information` section in https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html. It says - " When you deploy your Lambda function, all the environment variables you've specified are encrypted by default after, but not during, the deployment process. They are then decrypted automatically by AWS Lambda when the function is invoked." – Rahul Satal Dec 18 '19 at 10:03
  • @RahulSatal Maybe you should raise a question about it in stackoverflow, but are you sure the size of your env vars have not gone over 4k? https://docs.aws.amazon.com/lambda/latest/dg/limits.html – Rez.Net Dec 19 '19 at 00:25
  • Yes, I will ask a question about it in StackOverflow. And yes I am sure that the size of the env vars has not gone over 4k. Because in that case we immediately get the error while saving the lambda function. – Rahul Satal Dec 19 '19 at 14:19