Check encryption settings for Lambda environmental variable

Error: Encryption settings for Lambda environmental variable is not set properly
Bridgecrew Policy ID: BC_AWS_SERVERLESS_5
Checkov Check ID: CKV_AWS_173
Severity: Low

Encryption settings for Lambda environmental variable is not set properly

Description

You can use environment variables to adjust your function's behavior without updating code. An environment variable is a pair of strings that is stored in a function's version-specific configuration. The Lambda runtime makes environment variables available to your code and sets additional environment variables that contain information about the function and invocation request. Environment variables are not evaluated prior to the function invocation. Any value you define is considered a literal string and not expanded. Perform the variable evaluation in your function code.

Fix - Buildtime

Terraform

aws_lambda_function

  • Resource: aws_lambda_function
  • Argument: kms_key_arn
resource "aws_lambda_function" "test_lambda" {
  filename      = "lambda_function_payload.zip"
  function_name = "lambda_function_name"
  role          = aws_iam_role.iam_for_lambda.arn
  handler       = "index.test"

  # The filebase64sha256() function is available in Terraform 0.11.12 and later
  # For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function:
  # source_code_hash = "${base64sha256(file("lambda_function_payload.zip"))}"
  source_code_hash = filebase64sha256("lambda_function_payload.zip")

  runtime = "nodejs12.x"
  
+ kms_key_arn = "ckv_km"
  
  environment {
    variables = {
      foo = "bar"
    }
  }
}