The Sneaky Weakness Behind AWS’ Managed KMS Keys
category: AWS Serverless
When you create a Lambda function, you can configure a raft of attributes, but the ones we care about here are the execution role, at least one environment variable, and not specifying a KMS customer-managed key to encrypt them. When you include environment variables, Lambda very helpfully encrypts them for you. If you’ve specified a KMS key, it will use that. But if you haven’t, it will use the AWS-managed key with the alias aws/lambda... But, what happens if the execution role is accidentally deleted? Well, your function will break and won’t start. But let’s say you re-create the role exactly as it was, whether by your chosen infrastructure as code provider or during a panic attack using the console. Your function still won’t work.