AWS Lambda always provides server-side encryption at rest with an AWS KMS key. By default, Lambda uses an AWS managed key. If this default behavior suits your workflow, you don’t need to set anything else up. Lambda creates the AWS managed key in your account and manages permissions to it for you. AWS doesn’t charge you to use this key.
Edit environment variables page, choose Encryption configuration, and check the Enable helpers for encryption in transit setting status available under Encryption in transit. If the Enable helpers for encryption in transit setting is disabled, the environment variables defined for the selected Amazon Lambda function are not encrypted in transit. If the Enable helpers for encryption in transit setting is enabled but the function’s environment variables that store sensitive information, listed in the rule settings, are not encrypted (i.e. the key values are visible and not encoded), the environment variables created for the selected function are not encrypted in transit, therefore the sensitive information stored in these variables is not protected from unauthorized access.
Additional encryption can be enabled by ticking the Enable helpers for encryption in transit box, but it won’t work without having a custom KMS key. if we want to use encryption helpers and intend to apply a higher level of encryption, we have to use custom KMS keys or customer master keys (CMKs). But that’s not enough to encrypt. Because the default KMS key is not used here, Lambda needs permission to use the CMK to decrypt the secrets when the function is invoked. add the kms:Decrypt policy to the function for the cmk we created. Now it’s possible to tick the Enable helpers for encryption in transit box.
Full encryption of environment variables in Lambda is only possible with customer master KMS keys.
When a CMK is specified and added to the Lambda function, sensitive information is encrypted both during and after deployment.