Serverless-application-model: Setting KMS key for Lambda function

Created on 30 Mar 2017  路  4Comments  路  Source: aws/serverless-application-model

CloudFormation lets you specify a KMS key via the KmsKeyArn attribute. However, this does not seem to be supported by SAM.

Template snippet

Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: ./src
      KmsKeyArn: !Sub "${MyKmsKey}"

Error when calling aws cloudformation deploy:

Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [MyFunction] is invalid. property KmsKeyArn not defined for resource of type AWS::Serverless::Function

Is there another way of setting this or is this feature missing at the moment?

picture restfulhead
👍2

Most helpful comment

SAM now supports KmsKeyArn. I will update the documentation tomorrow.

picture sanathkr on 28 Jun 2017
👍4

All 4 comments

This might be a duplicate of #48

jolexa picture jolexa on 7 Apr 2017

Right, although #48 is requesting more than this. This issue is just about supporting the CloudFormation attribute KmsKeyArn, no additional changes like CLI support for encryption.

restfulhead picture restfulhead on 7 Apr 2017

SAM now supports KmsKeyArn. I will update the documentation tomorrow.

sanathkr picture sanathkr on 28 Jun 2017
👍4

Hi, I'm looking to get a bit more clarity about how to declare KMS keys in the yaml using SAM. The following structure works when deployed but we've' been advised this is very poor from a security perspective::

Resources:
    MyFunction:
        Type: AWS::Serverless::Function
        Properties:
            KmsKeyArn: !Sub arn:aws:kms:region:number:key/id
            Policies:
                - Statement:
                    Effect: Allow
                    Action:
                        - "kms:*"
                        - "s3:*"
                    Resource:
                        - "*"

However if I try to add a specific key to the 'Resource' section such as:

- !Sub arn:aws:kms:region:number:key/id
or
- "arn:aws:kms:region:number:key/id"

everything packages and deploys ok but I get the following error when I try to run the lambda on the console:

"errorMessage": "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

p.s. I have declared the specific bucket that the lambda is used on in the Resource section as follows so I don't think it is a bucket issue:

- "arn:aws:s3:::mybucket/*

Apologies if I should have started a new thread? I thought this would be relevant to post here?

wes3985 picture wes3985 on 2 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rhboyd picture rhboyd  路  3Comments
feinstein picture feinstein  路  3Comments
polovi picture polovi  路  3Comments
angustohrallegrinski picture angustohrallegrinski  路  3Comments
MaxVynohradov picture MaxVynohradov  路  3Comments