This is the third part in a series of articles that describe Using AWS KMS to Encrypt Values in CloudFormation Stacks.

I have always shied away from creating custom resources for CloudFormation. It’s not that it’s hard, but I wasn’t interested in bearing the additional burden of maintaining the required infrastructure to support them. That all changed when AWS introduced Lambda-backed custom resources. Let’s get started.

Go to the Lambda console in the AWS console and create a new Lambda function.

Step 1: Select blueprint (skip it!)

We’ll skip “Step 1: Select blueprint” by using the “Skip” button at the bottom of the page. See how easy this is?! ;-)

Step 2: Configure function

Here is the meat of this section. Use the following values to get your new Lambda function created.

  • Name: cloud-formation-kms-resource
  • Description: A custom CloudFormation resource that encrypts values using KMS
  • Runtime: Python 2.7

Configure function screenshot

Lambda function code

Lambda function code screenshot

Lambda function handler and role

  • Handler: lambda_function.lambda_handler
  • Role: lambda-kms-for-cloud-formation (this is the role we created in the previous step)

The defaults for the remainder of the fields are sufficient.

Lambda function handler screenshot

Step 3: Review

Review the information on the final screen, create the Lambda function, and we’re done. Make a note of the function’s ARN as we’ll need it for the final step.

Lambda ARN screenshot

The Lambda function you just created will receive an event from CloudFormation, encrypt the plain text included in that request using AWS KMS, and the encrypted value is returned to CloudFormation using a pre-signed URL that was included in the event.