Ensure that your Amazon Lambda environment variables are using customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption and decryption process. The environment variables defined for your Amazon Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code. By default, all Lambda environment variables with the key (name) set to "pass", "password", "*token*" (i.e. any key that has "token" string in it), "api", "API", "Key", "KEY", "key" are encrypted. You can also set your own environment variables names within the rule settings on your Trend Micro Cloud One™ – Conformity account console.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you utilize your own customer-managed Customer Master Keys (CMKs) to protect the sensitive data that you pass to your Amazon Lambda functions, you achieve full control over who can use the CMKs and access the data encrypted within the environment variables. The Amazon KMS service allows you to create, rotate, disable, enable, and audit Customer Master Keys for Lambda environment variables.
Audit
To determine if customer-managed Customer Master Keys (CMKs) are used to encrypt your Lambda function environment variables at rest, perform the following actions:
Remediation / Resolution
To enable encryption at rest for environment variables defined for your Amazon Lambda functions using KMS Customer Master Keys (CMKs), perform the following actions:
References
- AWS Documentation
- AWS Lambda FAQs
- Using AWS Lambda environment variables
- What is AWS Lambda?
- Creating keys
- AWS Command Line Interface (CLI) Documentation
- lambda
- list-functions
- get-function
- update-function-configuration
- kms
- describe-key
- create-key
- create-alias
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Enable Encryption at Rest for Environment Variables using Customer Master Keys
Risk level: High