小贝子编程

如何使用CloudFormation加密lambda变量



aws云形式模板,其中包含具有敏感环境变量的lambda函数。我想设置一个kms键并用它加密

添加基本的云形式以加密密钥,即使AWS/lambda默认加密

也可以 
  LambdaFunction:
            Type: AWS::Lambda::Function
            DependsOn: LambdaRole
            Properties:
              Environment:
               Variables:
                 key: AKIAJ6W7WERITYHYUHJGHN
                 secret: PGDzQ8277Fg6+SbuTyqxfrtbskjnaslkchkY1
                 dest: !Ref dstBucket
              Code:
                ZipFile:  |
                   from __future__ import print_function
                   import os
                   import json
                   import boto3
                   import time
                   import string
                   import urllib
                   print('Loading function')
                   ACCESS_KEY_ID = os.environ['key']
                   ACCESS_SECRET_KEY = os.environ['secret']
                   #s3_bucket = boto3.resource('s3',aws_access_key_id=ACCESS_KEY_ID,aws_secret_access_key=ACCESS_SECRET_KEY)
                   s3 = boto3.client('s3',aws_access_key_id=ACCESS_KEY_ID,aws_secret_access_key=ACCESS_SECRET_KEY)
                   #s3 = boto3.client('s3')
                   def handler(event, context):
                      source_bucket = event['Records'][0]['s3']['bucket']['name']
                      key = event['Records'][0]['s3']['object']['key']
                      #key = urllib.unquote_plus(event['Records'][0]['s3']['object']['key'])
                      #target_bucket     =  "${dstBucket}"
                      target_bucket = os.environ['dest']
                      copy_source = {'Bucket':source_bucket, 'Key':key}
                      try:
                        s3.copy_object(Bucket=target_bucket, Key=key, CopySource=copy_source)
                      except Exception as e:
                        print(e)
                        print('Error getting object {} from bucket {}. Make sure they exist '
                           'and your bucket is in the same region as this '
                           'function.'.format(key, source_bucket))
                        raise e

AWS云形式模板,其中包含具有敏感环境变量的lambda函数。我想设置一个kms键并用它加密

您可以通过使用kmms密钥对AWS SSM参数存储中存储访问密钥和秘密键。转到AWS Systems Manager->参数存储 ->创建参数。您可以选择安全的字符串选项,然后选择与之加密的KMS密钥。您可以通过boto3函数调用访问该参数。例如,响应=客户端。您可以使用"响应"变量来参考访问密钥。确保Lambda功能具有足够的权限,可以使用该KMS键来解密您存储的参数。将所有必要的解密权限附加到Lambda使用的IAM角色上。这样,您就无需将访问密钥和秘密密钥作为环境变量传递。希望这会有所帮助!

您可以使用AWS KMS服务手动创建KMS密钥(或(通过使用CFT(https://docs.aws.amazon.com/awscloudformation/latest/userguide/aws-resource-kms-key.html(

返回值将具有可用于lambda cft

的kmskeyarn属性的ARN

https://docs.aws.amazon.com/awscloudformation/latest/userguide/aws-resource-lambda-function.html#cfn-cfn-lambda-function-kmskeyarn

希望这会有所帮助!

您还可以使用Secrets Manager AWS :: SecretSmanager :: Secret CFN资源来存储秘密值和云形式。在模板中,使用云形式动态引用从SSM Paramenter Store或Secrets Manager中检索该秘密的值。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium