Encode and decode Lambda environment variable payloads with key-value validation.
Last verified: May 2026
Encode and decode Lambda environment variable payloads with key-value validation.
Required Fields
functionNamekmsKeyArnvariablesvariables.STAGEOutput will appear here...Your team's compliance audit flagged that the API_KEY environment variable on a Lambda is encrypted with the default AWS-managed key — the audit requires customer-managed keys for cryptographic separation between accounts. You use the encryptor to: (1) generate the KMSKeyArn config for the Lambda, (2) generate the IAM policy adding kms:Decrypt for the new key, and (3) generate Node.js decrypt code for module-scope caching. End-to-end fix: 30 minutes vs. the half-day it would take to figure out the IAM permissions correctly from scratch.
The Lambda Environment Variable Encryptor helps you prepare encrypted environment variable configurations for AWS Lambda functions. Lambda environment variables are encrypted at rest by default with an AWS-managed key, but you can use a customer-managed KMS key for additional control. This tool guides you through configuring KMS-encrypted environment variables, generates the proper Lambda configuration JSON, and shows the decryption code snippets for your runtime so you can securely handle secrets in your functions.
The encryptor walks you through configuring a Lambda function's KMSKeyArn parameter to use a customer-managed KMS key, then generates the appropriate IAM policy statements for the Lambda execution role (kms:Decrypt on the specific key) and the runtime decryption code snippets (Node.js: aws-sdk's KMS.decrypt; Python: boto3 kms client; Java: AWS SDK v2 KmsClient).
Lambda environment variables (encrypted or not) appear in CloudWatch Logs if your function logs the environment for debugging. Even with KMS encryption at rest, an inadvertent `console.log(process.env)` in production code exposes secrets in plaintext to anyone with log access. Always use Secrets Manager for genuine secrets, environment variables for non-secret config.
Customer-managed KMS keys for Lambda env vars cost ~$1/key/month plus $0.03 per 10K decrypt API calls. With provisioned concurrency, every cold start triggers a decrypt — high-throughput functions can rack up significant KMS API costs. Cache decrypted values in module scope (not in handler scope) to amortize the decryption.
Lambda Powertools has a built-in Parameters utility that handles KMS-encrypted environment variables, Parameter Store, and Secrets Manager with automatic caching. For most Python/Node Lambda projects, using the utility is preferable to hand-rolled decrypt code — it handles key rotation, caching, and error retry correctly.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.