In AWS Lambda, where can I securely store API Credentials?

Question

I have a lambda function configured through the API Gateway that is supposed to hit an external API via Node (ex: Twilio). I don't want to store the credentials for the functions right in the lambda function though. Is there a better place to set them?

Answer 1

For 2022 we have AWS Secrets Manager for storing sensitive data like Database Credentials, API Tokens, Auth keys, etc.

Answer 2

The functionality to do this was probably added to Lambda after this question was posted.

AWS documentation recommends using the environment variables to store sensitive information. They are encrypted (by default) using the AWS determined key (aws/lambda) when you create a Lambda function using the AWS Lambda console.

It leverages AWS KMS and allows you to either: use the key determined by AWS, or to select your own KMS key (by selecting Enable encryption helpers); you need to have created the key in advance.

From AWS DOC 1...

"When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service. When your Lambda function is invoked, those values are decrypted and made available to the Lambda code.

The first time you create or update Lambda functions that use environment variables in a region, a default service key is created for you automatically within AWS KMS. This key is used to encrypt environment variables. However, should you wish to use encryption helpers and use KMS to encrypt environment variables after your Lambda function is created, then you must create your own AWS KMS key and choose it instead of the default key. The default key will give errors when chosen."

The default key certainly does 'give errors when chosen' - which makes me wonder why they put it into the dropdown at all.

Sources:

• AWS Doc 1: Introduction: Building Lambda Functions » Environment Variables
• AWS Doc 2: Create a Lambda Function Using Environment Variables To Store Sensitive Information

Answer 3

While I haven't done it myself yet, you should be able to leverage AWS KMS to encrypt/decrypt API keys from within the function, granting the Lambda role access to the KMS keys.

Answer 4

Any storage service or database service on AWS will be able to solve your problem here. The question is what are you already using in your current AWS Lambda function? Based on that, and the following considerations:

• If you need it fast and cost is not an issue, use Amazon DynamoDB
• If you need it fast and mind the cost, use Amazon ElastiCache (Redis or Memcache)
• If you are already using some relational database, use Amazon RDS
• If you are not using anything and don't need it fast, use Amazon S3

In any case, you need to create some security policy (either IAM role or S3 bucket policy) to allow exclusive access between Lambda and your choice of storage / database.

Note: Amazon VPC support for AWS Lambda is around the corner, therefore any solution you choose, make sure it's in the same VPC with your Lambda function (learn more at https://connect.awswebcasts.com/vpclambdafeb2016/event/event_info.html)

Answer 5

I assume you're not referring to AWS credentials, but rather the external API credentials?

I don't know that it's a great place, but I have found posts on the AWS forums where people are putting credentials on S3.

It's not your specific use-case, but check out this forum thread.

https://forums.aws.amazon.com/thread.jspa?messageID=686261

If you put the credentials on S3, just make sure that you secure it properly. Consider making it available only to a specific IAM role that is only assigned to that Lambda function.