When using SSE-C, the AWS documentation states that the encryption key is obliterated from RAM right after the objects are put into their bucket on S3.
I need to extract and process some data from my objects right after they are uploaded, but the original objects are to be archived indefinitely. I'm struggling to find a reliable and safe pattern to provide the encryption key to the Lambda function which would be doing the job.
My idea was to use a SQS queue (which also features its own encryption and therefore could contain an event with the key) to trigger the Lambda, but it doesn't seem there's a way I can put the key into the event.
All the other design patterns that I can think of seem frankly terrible. Any idea on how to design a clean architecture to achieve that?
The whole point of SSE-C is that you store the key yourself, outside of Amazon, instead of storing it in a service like AWS KMS or HSM where other AWS services could access the key (if you gave them the appropriate IAM permission). There's no way for Lambda to access that key, unless you are storing it somewhere like a HashiCorp Vault server, and you make that server available to the Lambda function somehow.