Lambda function environment variables are encrypted with a customer-managed KMS key
awslambda_function_env_vars_not_encrypted_with_cmk
AWS Lambda function environment variables are encrypted at rest using a customer-managed KMS key (CMK) rather than the default AWS-managed Lambda service key.
The presence of a KMSKeyArn on the function configuration indicates CMK-based encryption is active.
Risk
Without a CMK, environment variables are encrypted with an AWS-managed key, removing customer control over rotation, auditing, and revocation.
If variables contain secrets or connection strings, loss of key control weakens confidentiality and can fail compliance requirements (PCI-DSS, HIPAA, FedRAMP) that mandate customer-controlled encryption.
prowler aws --checks awslambda_function_env_vars_not_encrypted_with_cmk
Recommendation
Encrypt Lambda environment variables with a customer-managed KMS key to maintain full control over key lifecycle and access.
- Create a dedicated KMS key per application or per function for blast-radius isolation
- Enable automatic key rotation (
EnableKeyRotation: true) - Grant only the Lambda execution role decrypt access via a key policy condition on
kms:ViaService - Prefer AWS Secrets Manager or SSM Parameter Store (SecureString) for secrets — environment variables should hold non-secret configuration only
Remediation
aws lambda update-function-configuration --function-name <function-name> --kms-key-arn <cmk-arn>
- Create or identify a KMS CMK in the same region as the function
- Grant the Lambda execution role
kms:Decryptandkms:GenerateDataKeyon the key - In the Lambda console go to Configuration > Environment variables > Edit
- Under Encryption configuration, select your CMK
- Save — Lambda re-encrypts all environment variables with the chosen key
Source Code
Resource Type
AwsLambdaFunction