This is the third part in a series of articles that describe Using AWS KMS to Encrypt Values in CloudFormation Stacks.
I have always shied away from creating custom resources for CloudFormation. It’s not that it’s hard, but I wasn’t interested in bearing the additional burden of maintaining the required infrastructure to support them. That all changed when AWS introduced Lambda-backed custom resources. Let’s get started.
Go to the Lambda console in the AWS console and create a new Lambda function.
Step 1: Select blueprint (skip it!)
We’ll skip “Step 1: Select blueprint” by using the “Skip” button at the bottom of the page. See how easy this is?! ;-)
Step 2: Configure function
Here is the meat of this section. Use the following values to get your new Lambda function created.
- Name: cloud-formation-kms-resource
- Description: A custom CloudFormation resource that encrypts values using KMS
- Runtime: Python 2.7
Lambda function code
- Code entry type: Edit code inline
- Paste the Python code that I maintain in a GitHub Repository
Lambda function handler and role
- Handler: lambda_function.lambda_handler
- Role: lambda-kms-for-cloud-formation (this is the role we created in the previous step)
The defaults for the remainder of the fields are sufficient.
Step 3: Review
Review the information on the final screen, create the Lambda function, and we’re done. Make a note of the function’s ARN as we’ll need it for the final step.
The Lambda function you just created will receive an event from CloudFormation, encrypt the plain text included in that request using AWS KMS, and the encrypted value is returned to CloudFormation using a pre-signed URL that was included in the event.