Encrypt and Decrypt AWS Lambda Function Environment Variables using AWS KMS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello friends welcome to our channel and today in my this particular video i am going to discuss how we can encrypt and decrypt environmental variables in aws lambda function okay so for this particular discussion purpose obviously i am going to use lambda as a programming language i am going to use python and to access the environmental variable i am going to squeeze module and to make the whole code more secure i am going to use aws kms what is this particular service regarding that soon i am going to discuss within few minutes okay so many times we use many secure keys that can be user id or password or jdbc url using which you are connecting to a database okay in our code and if we if you are hardcoding those values there is a terrible idea because you are exposing to the external world right like for example you have used some secure credentials in your code and for future reference you are putting that code in a github repo and the github request public that time anyone who can see the code can access the data of the database or any particular confidential information they can access so that is a problem right so secrets are meant to be well secured we need to ensure that as a programmer or developer we cannot expose important secure keys like database passwords and all the outside world and hard coding passwords or some credentials is a terrible idea we must need to avoid that as much as possible and luckily aws lambda if we are using we can easily avoid that using the environmental variable feature which i am going to show you so using environmental variable you might not need to hardcore the user id password this kind of secure credential in your code but if some person have access to that lambda function they can easily access that environmental variable too so what we need to ensure we will provide the environmental variable as well as we will try to create such system which will encrypt that environmental variables so that who can see the environmental variable even they also cannot use that directly they need to decrypt that first and for that they need to know that key using which the encryption happened right because for cryptography encryption and decryption we need some key that key we are going to store using kms we are going to give access using kms everyone will not have have access to that key okay so what is aws kms kms is key management system okay or key management service aws kms makes it easy for you to create and manage cryptographic key and control their use across a wide range of aws services and in your application okay so number one thing it will create the cryptographic key which can be used for encryption and decryption it will manage that also it will ensure that to some particular application will be having access to that key not every application okay so most important feature of kms can be described like it has control access using im user and role you can specify which im user and role can access that kms key no other i n user and role can access that right then another important feature is automatically rotate keys you can apply this particular feature to make your system more secure that is for example in a periodic repetition suppose for 30 days interval you will be changing your password one password will be staying for 30 days after 30 days one new password will come once 30 days will over again the previous password will come like that automatically key rotation sometimes admin team enable this particular feature to make system more secure okay apart from that re-enable disabled keys okay what is this particular feature that is for example currently you are having some kms keys which you are using for encoding and decoding some secret credential okay now you have observed that this particular key we might not need to use in upcoming 30 days so you can disable that key after 30 days if you need that key for decrypting the secured credentials that then you can re-enable those so all these things you can do using this kms or key management service okay so i am going to discuss how we can use environmental variable in aws lambda as well as i am going to show you how we can make this system secured using this key management service right so without wasting much time let us directly jump into our code so for this particular discussion purpose i am considering the same example which i used in my previous video also for demonstrating the cloud watch event trigger that is we are having one api that api we generated from this openweather.org which can be used to access the temperature or weather related information for a particular city right so if you want to know the detailed explanation how to access this website how to create the api key you can check the link given in the description box i have already explained in detail so i created one api key which is kind of secret credential we can say so that we will try to secure in our program okay so if we consider simple programming how we did in google collab that is first we install the request library and then we have imported that we are giving this city name api key which we created and then we are passing in this url right the city name and api key also we are specifying unit as metric so that the temperature related information whatever we are going to get from this api response that should be celsius unit because in celsius you need your more comfortable right so i am using this one and then we are using get method to get the result set right which is coming the response as a json format and we are converting using this dot json and we are getting this particular response which is kind of dictionary right like for example if you want to get the temperature related information for this particular orlando city then you can see that in this particular data extracted in this dictionary there is a key called min and in the main key temperature is another keyboard temperature information is stored in celsius image right so suppose i want to access the temperature so i need to first go to this main key and then i need to go to temperature key so like that i can simply access the temperature information from this data right same thing let me first do in aws lambda okay so i'll go to lambda console okay i will click on lambda i will create a new function okay in the function name i will be giving lambda kms testing okay then as a runtime i am going to choose python 3.7 not python 3.9 why because the request library is readily available in aws lambda for this three point seven percent but not for three point nine if you want to use request library in 3.9 you need to create layer or zip the whole code with all the dependent libraries put in some s3 location and things that path like that where you have to that also i discussed earlier but for the simplicity purpose i am directly using python 3.7 where dps library is available okay and then i am going to create the function that's it okay how my function will look like my function will look like this import photo3 import request import json and then we are creating the lambda function city name and api key we are passing url the same way just now how i discussed url is specified we are printing the url where using get method to get the information we are converting to this data and then we are accessing the temperature related information using the dictionary keys and we are printing the temperature related information let me copy this particular piece of code i am not copying voter 3 because currently is not required okay so i can go to this lambda function and here i can delete this one i can paste this city name i can copy from here which is orlando okay and then api key i can copy from here right and that one i can paste it here okay so now you see this code is not secure because api key is something important or should be secured but we are simply exposing now suppose i am putting this code in github anyone who will see this code in public repo they can run this code easily right so that we will make it secured before that let me deploy this and test whether it is working or not okay i will go to test i'll go to click click on test okay so see it is successfully executed and if you go to this particular logs you will get temperature of orlando city is 31.65 degree celsius right now let us do one thing let us go to lambda function and then here let us try to put these two values in some environmental variable okay right so here i will do input os which is used to access the environmental variable and instead of city name i will put waste dot environment function using which we access an environmental variable and suppose city name is stored in city environmental variable okay api key is stored in suppose api key environmental variable okay right so now this particular code if you put in github it is at least more secure than earlier version right because no person can run simply run this code like for example if i simply go to test this code it will throw error and if you see uh it is not showing error okay sorry i forgot to deploy this modified code let me deploy that and then if i test it you will see that you will be getting here or ct because this ct is not stored as an environmental key we need to save that then only we can access that right so for that to set up environmental variable in lambda function all we need to do go to configuration and go to environmental variable click on edit and then add environmental variable in key you can add environmental variable so city i want to put this environmental variable orlando okay and here this particular one api key i want to put this particular environmental variable okay value okay right so now this particular lambda function will run in some easy to write in ec2 these two keys will be accessible so our code will access those two keys and then the value it will put in these two variables city name and api key and it will run we can test it now if we test key error api what is that let me confirm api okay sorry here this api key right now let me deploy that and test it out here it is coming let me go to configuration here i specified api key perfectly okay error api key is trying to access api key only okay sorry api key i did mistake in spelling now let me test it and see it is successful the temperature of orlando city is 31.65 degree celsius perfect right at least the code is more secure than earlier now we can put this in github but the problem is suppose someone who has access to this lambda function they can simply go to configuration and they can see okay this is the api key and this is the city name like this way we are not making the whole system more secure right so we need to encrypt these two values or at least one value like city is not that much secure thing at least api key we need to secure and that we are going to do using kms so i will go to aws management console i will go to key management service okay i'll click on that and i will go to create a key and i am going to create symmetry key that means same key will be used for both encryption and decryption okay i can go to next and display key name lambda ms demo like that i am giving if you want you can give some description also and then i can click on next and then here we need to basically mention that what are the iem user or role which can access this key okay are all the iem or room cannot access only those which will be mentioning those alone can access this key for encryption and description all right so our lambda should have access to this new key so we need to allow the lambda rule here so that that role can access so we need to go to permission in the lambda function and we can copy this role name okay i will be copying this i'll be going here i'll be pasting that and here this is this solid is showing for the lambda which just now we created i'll be giving this access i'll be going to next and then here we need to choose the account again for the same lambda suppose lambda role i want to give this access okay i can go to next and these are the informations what you can see write symmetric key okay same key we are going to use for encryption and decryption we can click on finish right so our you can see here your aws kmsc successfully created just now we created this particular key which is lambda kmstm right so now we are going to use this for encryption in our these environmental variables so all we need to do to encrypt our environmental field we can go to environmental variable click on edit and then see here encryption configuration click on that encrypt that click on this encryption and see it is asking for encryption click on encrypt and then here aws kms key we need to choose so just now i created this lambda demo right and then here the aws is also providing the code for decryption so i'll be keeping this handy i'll be copying this okay and then here we can click on encrypt okay so our this value is now encrypted right city explicitly i am not encrypting because it is not something has to be secure but api key user id password or jdbc url which is connecting to some database must you must have to encrypt like this okay now our this particular environmental variable is encrypted but if we simply try to run then it will throw error right because using os dot environ we are able to access the encrypted key but we need to decrypt before using so the code which i copied that time that i just pasted it okay here os import os input is coming two time i'll be deleting one time and then here c first we are reading that encrypted key and then we are decrypting using this piece of code so basically decrypted key will be stored here i'll be copying this and i'll be replacing here okay right so now what is the overall code is now becoming first thing there is no hard coding of any city name or our api key moreover our api key is now secured suppose someone who has access to lambda if they try to go to configuration and if they go to this api key here api key should be secure right uh let me refresh this it is not showing that security let me edit okay i think i forgot to save that okay right so here i need to go to enable and then click on encrypt and basically encrypt that using lambda kmsk whatever we created and i can click on encrypt and once it is encrypted you need to save here okay make sure you're saving okay now see here the api key is having this encrypted version no one can understand what is the actual api key until they can decrypt it and decryption they cannot do for any code only using this particular lambda they can do because here this lambda has access to decrypt that that's what we have given the iem in that role i am role we have given in that kms uh key creation right not all the lambda can easily decrypt this if you use the execute the same code for even other lambda which don't have that role access to the kms the code will throw error okay right so now i can deploy this right and then i can click on test if this particular test event i can create okay my case something i am i have given the name i can click on create and then if i run this you will see that test event was successfully saved if i go to test and then here my test event is saved what we need to do we need to test this out okay and see execution result is successful okay here you will see that here we are getting the temperature related information for all under city as 31.64 degree celsius okay all this is happening because this particular aws lambda function has access to that kms otherwise this decryption will not be possible i'll be showing you that too what i will do i'll be copying this particular piece of code okay and then here i will go to functions i'll be creating another function okay maybe some name i can give demo to kms and here i'll be choosing the python version as item 3.7 and i will create this function okay here i can test the same right so this particular code i have pasted i have deployed okay now in the configuration what we'll do we will edit this okay add environmental variable i will add that okay api key what is the value we created let me go back in the function so this is the function just now we created lambda mask testing and then what i will do i will basically go to configuration and i will try to copy this particular api key okay suppose i am the hacker and i am trying to just replicate the same thing whatever is done in this code and try to access that okay listed the city and this is the value right and then save it right so now i basically created another lambda which is having same api key same city name as environmental variable okay same code also code is also not a change i deployed the code now if i test this see what will happen let me go to directly test here and then if i click on test you will see something really interesting will happen okay so here execution result failed here what it is telling task timeout after 3.06 seconds okay sometime it might happen no need to worry let me increase that go to i'll go to configuration and here i'll go to general configuration i will edit this and maybe i will increase the lambda function runtime to 30 seconds okay save this and then let me try to test this code okay so see it got failed what is the reason you can clearly see an error occurred while calling the decrypt option the cipher text refers to a customer master key that does not exist or that can be does not exist in this region or you are not allowed to access okay so that is i replicated same scenario as of my earlier function i gave the same in the configuration in the environmental variable i added the same api key and ct i added the same decryption code in the lambda function but still the lambda function cannot be used because we have made the security using kms and we have mentioned kms that only that lambda roll whatever we mentioned that time that should be able to access no other lambda can access this one right so i hope you are understanding this particular feature you can control the axis of the cryptographic key or cipher text using iem user android automatically key rotation is something which you can explore and re-enable disabled keys that is also interesting feature if you go to kms you will see that here this particular key is disabled what you can do just click on this and if you go to key action you can click on enable it will be enabled okay and all those places where applications are using this particular key for encrypting or decrypting some secret credential can be reused okay so these kind of things you can control using this key management service or kms i hope the importance with respect to making your code more secured and how to use kms with lambda how to use environmental variable this picture is clear to you if you find this video helpful then please like share and comment subscribe our channel if you have not subscribed till now and don't forget to press the bell icon to get the notification of our latest videos thank you

Info

Channel: Knowledge Amplifier

Views: 444

Rating: undefined out of 5

Keywords: Encrypt and Decrypt AWS Lambda Function Environment Variables using AWS KMS, aws kms best practices, aws kms key, aws kms automatic key rotation, aws kms customer managed keys, aws kms tutorial, aws kms encrypt decrypt example, aws kms deep dive, aws security specialty, aws security deep dive, aws data security, aws basics for beginners, serverless, kms, aws, security, key management service, encryption, software development, coding, programming, python, boto3

Id: mBoxHTa8x-w

Channel Id: undefined

Length: 23min 53sec (1433 seconds)

Published: Wed Oct 06 2021