By default, environmental variables used by AWS Lambda functions are encrypted at-rest by a managed AWS Key Management Service (KMS) key. This key is available to all users, and therefore everyone is able to decrypt and view the environmental variables. This is an issue, as we store our secrets in these env vars.
I have created two customer KMS keys, one for prod and one for dev, and changed the CDK configuration to use them in encrypting the environmental variables. This way, anyone who does not have access to the key (currently anyone but users with the AWSAdmin user group) are unable to see the environmental variables associated with a Lambda Function.
The only drawback to this is the fact that all environmental variables, secrets or not, are not visible in the AWS console. The fix to this is to leverage AWS's Systems Manager Parameters (free) or Secrets Manager (not free) instead of environmental variables but this would require a major refactor to the codebase considering that we'd need to set something up to async retrieve the keys at the top level of a module before we use them, which could potentially be done through the use of top-level awaits. I will look into this into the future.
By default, environmental variables used by AWS Lambda functions are encrypted at-rest by a managed AWS Key Management Service (KMS) key. This key is available to all users, and therefore everyone is able to decrypt and view the environmental variables. This is an issue, as we store our secrets in these env vars.
I have created two customer KMS keys, one for prod and one for dev, and changed the CDK configuration to use them in encrypting the environmental variables. This way, anyone who does not have access to the key (currently anyone but users with the AWSAdmin user group) are unable to see the environmental variables associated with a Lambda Function.
The only drawback to this is the fact that all environmental variables, secrets or not, are not visible in the AWS console. The fix to this is to leverage AWS's Systems Manager Parameters (free) or Secrets Manager (not free) instead of environmental variables but this would require a major refactor to the codebase considering that we'd need to set something up to async retrieve the keys at the top level of a module before we use them, which could potentially be done through the use of top-level awaits. I will look into this into the future.
This change is