I am working on an AWS CloudFormation template that includes a Lambda function with sensitive environment variables. I'd like to set up a KMS key and encrypt them with it, which is easy to do in the console but proving very difficult to do in CloudFormation.
Can anyone please post a basic CloudFormation JSON object for a Lambda with at least one environment variable that is encrypted using a KMS key, as well as the JSON for creating that key?
It looks like there's a feature request up for it currently, in AWS' serverless-application-model project: https://github.com/awslabs/serverless-application-model/issues/48
However, at the moment there is no way to encrypt individual environment variables via CloudFormation. As for setting up the KMS key itself with CloudFormation, see the following: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html
After creating the KMS Key resource, you can use it in your Lambda Function by specifying a KmsKeyArn property in your Function's properties.