https://pulumi.com logo
b

billions-lock-73409

02/08/2019, 4:51 PM
For lambda env varibles, is it possible to enable the transit encryption option? I see we can supply a KMS ARN but that only covers it at rest
w

white-balloon-205

02/08/2019, 5:50 PM
I don't know off the top of my head what the Lambda console's "Enable helpers for encryption in transit" does - I'm pretty sure that's not a core capbility of the underlying platform. What I think it does is just make KMS calls to encrypt the value before storing it as the value of the environment key, and then it's up to you to KMS decrypt the value you get inside the Lambda implementation. That's certainly possible to do via Pulumi as well using
aws.kms.getCipherText
to encrypt, and then
aws-sdk
KMS APIs at runtime to decrypt.