Lambda always provides server-side encryption at rest for .zip deployment packages and function configuration details with an AWS KMS key. By default, Lambda uses anAWS owned key. If this default behavior suits your workflow, you don't need to set up anything else. AWS doesn't charge you to use this key.

If you prefer, you can provide an AWS KMS customer managed key instead. You might do this to have control over rotation of the KMS key or to meet the requirements of your organization for managing KMS keys. When you use a customer managed key, only users in your account with access to the KMS key can view or manage the function's code or configuration.

Customer managed keys incur standard AWS KMS charges. For more information, seeAWS Key Management Service pricing.

Create a customer managed key

You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs.

To create a symmetric customer managed key

Follow the steps forCreating symmetric encryption Creating symmetric KMS keys in theAWS Key Management Service Developer Guide.

Permissions

Key policy

Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. For more information, seeHow to change a key policy in theAWS Key Management Service Developer Guide.

When you use a customer managed key to encrypt a .zip deployment package, Lambda doesn't add agrant to the key. Instead, your AWS KMS key policy must allow Lambda to call the following AWS KMS API operations on your behalf:

The following example key policy allows all Lambda functions in account 111122223333 to call the required AWS KMS operations for the specified customer managed key:

For more information abouttroubleshooting key access, see theAWS Key Management Service Developer Guide.

Principal permissions

When you use a customer managed key to encrypt a .zip deployment package, onlyprincipals with access to that key can access the .zip deployment package. For example, principals who don't have access to the customer managed key can't download the .zip package using the presigned S3 URL that's included in theGetFunction response. AnAccessDeniedException is returned in theCode section of the response.

{    "Code":{        "RepositoryType": "S3",        "Error":{            "ErrorCode": "AccessDeniedException",            "Message": "KMS access is denied. Check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: User: arn:aws:sts::111122223333:assumed-role/LambdaTestRole/session is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:111122223333:key/key-id with an explicit deny in a resource-based policy"        },        "SourceKMSKeyArn": "arn:aws:kms:us-east-1:111122223333:key/key-id"    },...

For more information about permissions for AWS KMS keys, seeAuthentication and access control for AWS KMS.

Using a customer managed key for your .zip deployment package

Use the following API parameters to configure customer managed keys for .zip deployment packages:

WhenSourceKMSKeyArn andKMSKeyArn are both specified, Lambda uses theKMSKeyArn key to encrypt the unzipped version of the package that Lambda uses to invoke the function. WhenSourceKMSKeyArn is specified butKMSKeyArn is not, Lambda uses anAWS managed key to encrypt the unzipped version of the package.

Lambda console

To add customer managed key encryption when you create a function

1. Open theFunctions page of the Lambda console.

2. ChooseCreate function.

3. ChooseAuthor from scratch orContainer image.

4. UnderBasic information, do the following:

   1. ForFunction name, enter the function name.

   2. ForRuntime, choose the language version to use for your function.

5. ExpandAdvanced settings, and then selectEnable encryption with an AWS KMS customer managed key.

6. Choose a customer managed key.

7. ChooseCreate function.

To remove customer managed key encryption, or to use a different key, you must upload the .zip deployment package again.

To add customer managed key encryption to an existing function

1. Open theFunctions page of the Lambda console.

2. Choose the name of a function.

3. In theCode source pane, chooseUpload from.

4. Choose.zip file orAmazon S3 location.

   

5. Upload the file or enter the Amazon S3 location.

6. ChooseEnable encryption with an AWS KMS customer managed key.

7. Choose a customer managed key.

8. ChooseSave.

AWS CLI

To add customer managed key encryption when you create a function

In the followingcreate-function example:

• --zip-file: Specifies the local path to the .zip deployment package.

• --source-kms-key-arn: Specifies the customer managed key to encrypt the zipped version of the deployment package.

• --kms-key-arn: Specifies the customer managed key to encrypt the environment variables and the unzipped version of the deployment package.

aws lambda create-function \  --function-name myFunction \  --runtime nodejs22.x \  --handler index.handler \  --role arn:aws:iam::111122223333:role/service-role/my-lambda-role \--zip-file fileb://myFunction.zip \--source-kms-key-arnarn:aws:kms:us-east-1:111122223333:key/key-id \--kms-key-arnarn:aws:kms:us-east-1:111122223333:key/key2-id

In the followingcreate-function example:

• --code: Specifies the location of .zip file in an Amazon S3 bucket. You only need to use theS3ObjectVersion parameter for versioned objects.

• --source-kms-key-arn: Specifies the customer managed key to encrypt the zipped version of the deployment package.

• --kms-key-arn: Specifies the customer managed key to encrypt the environment variables and the unzipped version of the deployment package.

aws lambda create-function \  --function-name myFunction \  --runtime nodejs22.x --handler index.handler \  --role arn:aws:iam::111122223333:role/service-role/my-lambda-role \--code S3Bucket=amzn-s3-demo-bucket,S3Key=myFileName.zip,S3ObjectVersion=myObjectVersion \--source-kms-key-arnarn:aws:kms:us-east-1:111122223333:key/key-id \--kms-key-arnarn:aws:kms:us-east-1:111122223333:key/key2-id

To add customer managed key encryption to an existing function

In the followingupdate-function-code example:

• --zip-file: Specifies the local path to the .zip deployment package.

• --source-kms-key-arn: Specifies the customer managed key to encrypt the zipped version of the deployment package. Lambda uses an AWS owned key to encrypt the unzipped package for function invocations. If you want to use a customer managed key to encrypt the unzipped version of the package, run theupdate-function-configuration command with the--kms-key-arn option.

aws lambda update-function-code \  --function-name myFunction \--zip-file fileb://myFunction.zip \--source-kms-key-arnarn:aws:kms:us-east-1:111122223333:key/key-id

In the followingupdate-function-code example:

• --s3-bucket: Specifies the location of the .zip file in an Amazon S3 bucket.

• --s3-key: Specifies the Amazon S3 key of the deployment package.

• --s3-object-version: For versioned objects, the version of the deployment package object to use.

• --source-kms-key-arn: Specifies the customer managed key to encrypt the zipped version of the deployment package. Lambda uses an AWS owned key to encrypt the unzipped package for function invocations. If you want to use a customer managed key to encrypt the unzipped version of the package, run theupdate-function-configuration command with the--kms-key-arn option.

aws lambda update-function-code \  --function-name myFunction \--s3-bucketamzn-s3-demo-bucket \--s3-keymyFileName.zip \--s3-object-versionmyObject Version--source-kms-key-arnarn:aws:kms:us-east-1:111122223333:key/key-id

To remove customer managed key encryption from an existing function

In the followingupdate-function-code example,--zip-file specifies the local path to the .zip deployment package. When you run this command without the--source-kms-key-arn option, Lambda uses an AWS owned key to encrypt the zipped version of the deployment package.

aws lambda update-function-code \  --function-name myFunction \--zip-file fileb://myFunction.zip

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.