Serverless: Handle API key decryption in a lambda function

Question

I am implementing an API that uses a third party library.

The third party library provides a key which needs to be passed in as an input. The key is dynamic and can change based on consumer/business scenario. The lambda function should be able to decrypt the key.

Can someone suggest a way to decrypt a key? I am exploring aws-kms approach on the side.

Please note: i have noted down the .env way of achieving it. But, today my API is being consumed by one consumer hence one API key. Tomorrow, the number will increase (would result into multiple keys) and i may not be in place to store/update the function.

Edit: I need to pass some sensitive information through payload. This can be an alphanumeric value. e.g. {"sender": "+123", "secret": "encrypted_value"} The client and server should share a key using which client can encrypt the info and server (lambda function) should decrypt it.

Any suggestion would be great! Thanks!

Answer 1

The standard way of doing something like you described on your "edit" section using KMS is:

1. Client calls KMS directly to generate a data key. Client will get back a key in its encrypted and plain format.
2. Client encrypts the data with the plain key, throws it away and send encrypted data and encrypted key to the server.
3. Server calls KMS decrypt operation, gets back the plain key and uses it to decrypt the data. Server throws away the decrypted key and uses the decrypted data as it wishes.

Please let me know if you meant something different, but this is a fairly standard way to use KMS. Of course, you need to lock down all of the APIs using IAM and KMS policies as your use cases determine.