Securing Secrets in AWS Lambda
AWS Lambda functions can have the need to store secrets/sensitive information. For e.g.: credentials to talk to database, api keys or other such secrets. This article outlines the various options to securely work with credentials in AWS Lambda.
Storing Secrets in Environment Variables
Environment variables allow one to store configuration data outside of the function code. This allows to change the configuration data across different environments without the need to modify the code. Secrets can be stored/provided via environment variables since they are encrypted at rest by AWS using AWS KMS. When they are accessed in the function code, they are decrypted by AWS.
In AWS Console, expand Encryption configuration section in AWS Lambda
As can be seen above, there is aa default key already selected which will be managed by AWS using AWS KMS.
In AWS Console, go to AWS KMS and check that a default key has been created for AWS Lambda under AWS Managed Keys