Ensure encryption in transit is enabled for Lambda environment variables¶

As you can set your own environmental variables for Lambda it is important to also encrypt them for in transit protection.

How to fix¶

Attribute kms_key_arn of aws_lambda_function must be non-empty.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)¶

If you use terraform-aws-modules/lambda/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "lambda" {
  source  = "terraform-aws-modules/lambda/aws"
  version = ">=8.0.0"

  create_package         = false
  function_name          = "abc123"
  handler                = "index.lambda_handler"
  local_existing_package = "lambda_function.zip"
  runtime                = "python3.12"

  kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

Option 2: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_lambda_function.

resource "aws_lambda_function" "this" {
  filename         = "lambda_function.zip"
  function_name    = "pofix-example-function"
  handler          = "index.handler"
  role             = "arn:aws:iam::123456789012:role/example-role"
  runtime          = "python3.12"
  source_code_hash = "mock-source-code-hash"

  kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: lambda_function_encryption_enabled

• Checkov Check: CKV_AWS_173

• Powerpipe Control: aws_compliance.control.lambda_function_encryption_enabled