Serverless, securing lambda secrets with AWS KMS (Key Management Service)

What is serverless ?

Serverless is the open-source, application framework to easily build serverless architectures on AWS Lambda & more.It allows us to deploy applications as independent functions, that respond to events, charge we only when they run, and scale automatically. To learn more about framework read documentation here.

What is KMS ?

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, To learn more about this service refer to documentation here.

The purpose

Sometimes in practices, when developing applications using serverless framework you may have a problem finding the best way to store you sensitive data, for example database credentials, passwords, external api keys and so on. Of course, you can use environment variables, but this way much better and secure. So what we need to start ?


There is a nice serverless plugin called {serverless-crypt} which will allow us to do encryption and decryption in our lambda function.

1. Install the plugin to your serverless application by adding that as a dependency of you app, installation guide you can find in readme file here.

2. Next add plugin to your serverless.yml file under plugins section like this

3. Add KMS key variable under custom section in serverless.yml like this

4. Next we should create and attach IAM policy to your serverless service role, login to you aws console and search for a service called  IAM (Identity and Access Management), from the left menu click on roles then from the list provided search for a role of your lambda function  NOTE : (serverless creates a role for you function when you deploy it so you don’t have to) basically the name consists of a name of your lambda  function plus stage variable value plus region plus wording “lambda Role”, so if you have a function with the name of “foo” the role name might   be the following.

Once found click on it to navigate to detail view, scroll to the bottom and find a section called “Inline Policies”, then under the actions you should see “edit policy” link, click on it and add the KMS policy there, the policy sample you can find in the readme file of serverless-crypt  repository. Once added click apply policy, that’s all you need.

5. follow to serverless-crypt readme file again, to see how to encrypt and decrypt your data in lambda function.

  • Topics:
  • nodejs

Top Stories

High Five! You just read 2 awesome articles, in row. You may want to subscribe to our blog newsletter for new blog posts.