AWSOverview
Lambda encrypts environment variables and related service data at rest by default. Regulated workloads sometimes require customer-managed KMS keys so key ownership, rotation, policy, and audit boundaries remain under the customer account.
This control is intentionally disabled by default because not every Lambda function needs a customer-managed key, and AWS Inspector currently does not scan Lambda functions encrypted with customer-managed KMS keys. Enable it only where regulatory or contractual key-control requirements outweigh that tradeoff, and pair it with CI/CD dependency and code scanning.
Remediation guidance
Remediation
Attach an approved customer-managed KMS key to the Lambda function only when the workload requires customer-controlled encryption. Ensure the function execution role can use the key for decrypt operations required by Lambda, and add compensating dependency/code scanning because AWS Inspector Lambda scanning does not currently cover CMK-encrypted functions.
AWS CLI
aws lambda update-function-configuration \
--region {{asset.region}} \
--function-name {{asset.name}} \
--kms-key-arn {{manual.kmsKeyArn}}
Validate the key ARN:
aws lambda get-function-configuration \
--region {{asset.region}} \
--function-name {{asset.name}} \
--query '{FunctionName:FunctionName,KMSKeyArn:KMSKeyArn}'
References
- https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars-encryption.html
- https://docs.aws.amazon.com/lambda/latest/dg/security-dataprotection.html
- https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html
Query logic
These are the stored checks tied to this control.
AWS Lambda functions without a customer-managed KMS key
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
cloudProvider: { eq: "aws" }
OR: [
{ kmsKeyARN: { eq: null } }
{ kmsKeyARN: { eq: "" } }
]
}
) {
...AssetFragment
}
}
