https://github.com/cch0/awslambdawithkms
https://github.com/cch0/awslambdawithkms
Last synced: about 1 year ago
JSON representation
- Host: GitHub
- URL: https://github.com/cch0/awslambdawithkms
- Owner: cch0
- License: apache-2.0
- Created: 2016-05-15T21:02:53.000Z (about 10 years ago)
- Default Branch: master
- Last Pushed: 2016-05-15T22:16:12.000Z (about 10 years ago)
- Last Synced: 2025-02-12T15:37:04.579Z (over 1 year ago)
- Language: Java
- Size: 8.79 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Purpose
An AWS Lambda to demonstrate round trip encryption without having to
specify AWS credentials in the Lambda code.
# Prerequisites
Lambda is deployed with a role which has policy to allow kms:Encrypt,
kms:Decrypt and kms:CreateKey permissions.
# Details
In order to achieve secret-less Lambda, Lambda function is running with
the role which has the necessary permissions to perform encryption and
decryption tasks.
In reality, the real AWS credentials can be encrypted through
out-of-band process and the encrypted information can then safely be put
into a file (such as configuration.yml) or on S3 bucket. When Lambda
function is in need of the AWS credentials for other purposes (such as
communicating with other AWS services through SDK Client), then the
encrypted information can be decrypted by using AWS KMS client.
Since Lambda function assumes the role to perform decryption, there is
no need to provide AWS credentials when using AWS KMS client.