1
00:00:00,230 --> 00:00:02,780
‫Okay. So let's practice using Lambda with KMS.

2
00:00:02,780 --> 00:00:05,340
‫For this I'm going to create a function from scratch.

3
00:00:05,340 --> 00:00:08,540
‫Call it Lambda KMS, use the Python runtime

4
00:00:08,540 --> 00:00:10,000
‫and create my function.

5
00:00:10,000 --> 00:00:12,050
‫So here we're going to play with how we can

6
00:00:12,050 --> 00:00:14,930
‫encrypt environment variables within Lambda.

7
00:00:14,930 --> 00:00:16,570
‫And for this, we'll be using the tutorial key

8
00:00:16,570 --> 00:00:20,770
‫that we have generated from before in KMS, okay.

9
00:00:20,770 --> 00:00:22,630
‫So one thing to know is that first we want to

10
00:00:22,630 --> 00:00:24,740
‫know what problem we are solving.

11
00:00:24,740 --> 00:00:27,540
‫So let's say for example, that we have a Lambda function

12
00:00:27,540 --> 00:00:29,200
‫and this Lambda function is very simple.

13
00:00:29,200 --> 00:00:31,250
‫It returns great.

14
00:00:31,250 --> 00:00:34,530
‫And in it, at some point we have a DB password

15
00:00:34,530 --> 00:00:35,840
‫variable that we're going to have.

16
00:00:35,840 --> 00:00:37,610
‫So DB underscore password

17
00:00:37,610 --> 00:00:40,040
‫and one way we could do it is just say, okay

18
00:00:40,040 --> 00:00:42,800
‫if your database wants to connect to the database password,

19
00:00:42,800 --> 00:00:44,820
‫just have database password as part of the code.

20
00:00:44,820 --> 00:00:46,970
‫So you have super secret as part of the code

21
00:00:46,970 --> 00:00:49,920
‫but this is not great because well, if you deploy this

22
00:00:49,920 --> 00:00:51,610
‫and then someone has access to your

23
00:00:51,610 --> 00:00:53,440
‫code of your Lambda function,

24
00:00:53,440 --> 00:00:55,290
‫then they can see directly the database password

25
00:00:55,290 --> 00:00:58,390
‫is super secret, so that's not great.

26
00:00:58,390 --> 00:01:00,290
‫You can say, Hey Stefan, you told us something,

27
00:01:00,290 --> 00:01:01,950
‫you can tell us about environment variables.

28
00:01:01,950 --> 00:01:06,290
‫So you can do OS dot getnv DB underscore password.

29
00:01:06,290 --> 00:01:08,430
‫And this looks better because now, well

30
00:01:08,430 --> 00:01:12,290
‫the database password is not in my function code.

31
00:01:12,290 --> 00:01:14,560
‫So you would go into the configuration

32
00:01:14,560 --> 00:01:17,000
‫and then for environment variables you would create one

33
00:01:17,000 --> 00:01:18,820
‫you would add it called DB password.

34
00:01:18,820 --> 00:01:21,460
‫And here you would place super secret.

35
00:01:21,460 --> 00:01:23,580
‫And this works better because, well now

36
00:01:23,580 --> 00:01:27,270
‫the code doesn't show the value of database password

37
00:01:27,270 --> 00:01:29,060
‫but the problem is that if someone has access

38
00:01:29,060 --> 00:01:31,490
‫to the configuration of your Lambda function

39
00:01:31,490 --> 00:01:33,510
‫then they can still read the database password,

40
00:01:33,510 --> 00:01:36,010
‫in plain text right here of value, super secret.

41
00:01:36,010 --> 00:01:37,080
‫So this is not amazing,

42
00:01:37,080 --> 00:01:41,087
‫but we can encrypt that environment variable.

43
00:01:41,087 --> 00:01:42,755
‫And for this there is the encryption

44
00:01:42,755 --> 00:01:44,820
‫configuration right here, menu.

45
00:01:44,820 --> 00:01:46,590
‫And you can enable the helpers

46
00:01:46,590 --> 00:01:47,800
‫and then you need to choose a KMS

47
00:01:47,800 --> 00:01:50,240
‫key to encrypt the variable at rest with.

48
00:01:50,240 --> 00:01:52,800
‫So we'll choose the tutorial, KMS key.

49
00:01:52,800 --> 00:01:55,550
‫And then you just click on the encrypt button.

50
00:01:55,550 --> 00:01:59,093
‫So we'll say, Hey, use this one and encrypt.

51
00:02:00,440 --> 00:02:03,090
‫So now my environment variable is encrypted,

52
00:02:03,090 --> 00:02:04,310
‫as you can see right here.

53
00:02:04,310 --> 00:02:07,550
‫And so there is a decrypt secret snippets code

54
00:02:07,550 --> 00:02:09,810
‫that we need to use to decrypt that secret.

55
00:02:09,810 --> 00:02:12,830
‫So what I'm going to do is just copy this entire blob

56
00:02:12,830 --> 00:02:14,470
‫of code right here, paste it

57
00:02:14,470 --> 00:02:15,910
‫and then I will show you what it does.

58
00:02:15,910 --> 00:02:19,310
‫So we are going to save this part

59
00:02:19,310 --> 00:02:22,290
‫we'll go into the code and I'm going to just

60
00:02:23,330 --> 00:02:24,800
‫paste this, okay.

61
00:02:24,800 --> 00:02:27,320
‫And so now we have an encrypted environment

62
00:02:27,320 --> 00:02:29,680
‫variable that's OS dot a get in

63
00:02:29,680 --> 00:02:32,450
‫which is the same as environ DB password.

64
00:02:32,450 --> 00:02:34,860
‫Okay. Then we have a decrypted environment variable

65
00:02:34,860 --> 00:02:37,890
‫which is taking the KMS client, okay.

66
00:02:37,890 --> 00:02:41,960
‫Using the AWS SDK and is going to issue a decrypt call.

67
00:02:41,960 --> 00:02:43,270
‫And then it's going to say, Hey

68
00:02:43,270 --> 00:02:47,170
‫you should decrypt that environment variable and use

69
00:02:47,170 --> 00:02:50,060
‫for this as an increase in context of Lambda function name.

70
00:02:50,060 --> 00:02:51,670
‫Okay. So then get the result

71
00:02:51,670 --> 00:02:54,720
‫plain text and decode as UTF 8.

72
00:02:54,720 --> 00:02:57,930
‫So this is necessary for us to get a decrypted information.

73
00:02:57,930 --> 00:02:59,290
‫And so in our function

74
00:02:59,290 --> 00:03:02,020
‫which is going to print the encrypted value,

75
00:03:02,020 --> 00:03:04,380
‫print the decrypted value

76
00:03:04,380 --> 00:03:05,700
‫and then we're going to test that.

77
00:03:05,700 --> 00:03:07,800
‫So I'm going to deploy this function

78
00:03:07,800 --> 00:03:09,030
‫and I'm going to test this.

79
00:03:09,030 --> 00:03:12,563
‫We will use sample events, create.

80
00:03:13,670 --> 00:03:15,720
‫So let's go ahead and test this function.

81
00:03:20,350 --> 00:03:21,730
‫Now, the first thing we get is a failure

82
00:03:21,730 --> 00:03:22,700
‫because we get a timeout.

83
00:03:22,700 --> 00:03:24,450
‫So we have more than three seconds.

84
00:03:24,450 --> 00:03:25,840
‫This is early for a function.

85
00:03:25,840 --> 00:03:26,760
‫So what I'm going to do is go

86
00:03:26,760 --> 00:03:29,090
‫to configuration, general configuration.

87
00:03:29,090 --> 00:03:32,420
‫I will edit the timeout and it will set it to be 10 seconds.

88
00:03:32,420 --> 00:03:34,520
‫That should be enough, save,

89
00:03:34,520 --> 00:03:36,110
‫and we're going to test our function again.

90
00:03:36,110 --> 00:03:37,260
‫So let's test it again.

91
00:03:42,850 --> 00:03:44,270
‫And now we get another error

92
00:03:44,270 --> 00:03:46,140
‫and here we have an access denied exception.

93
00:03:46,140 --> 00:03:47,120
‫So this makes sense.

94
00:03:47,120 --> 00:03:50,639
‫Our Lambda function is trying to run a decrypt call

95
00:03:50,639 --> 00:03:53,850
‫on our KMS environment variable okay.

96
00:03:53,850 --> 00:03:55,750
‫That we have in the encrypted one

97
00:03:55,750 --> 00:03:58,030
‫but we haven't provided the, IAM role

98
00:03:58,030 --> 00:04:02,030
‫with a right to decrypt, anything using that KMS key.

99
00:04:02,030 --> 00:04:03,950
‫So fairly simple to fix that.

100
00:04:03,950 --> 00:04:06,980
‫We're going to go into configuration, permissions,

101
00:04:06,980 --> 00:04:08,859
‫take the Lambda role.

102
00:04:08,859 --> 00:04:11,850
‫And we're going to have to add an inland policy

103
00:04:11,850 --> 00:04:14,260
‫to this role, which is a service we'll

104
00:04:15,100 --> 00:04:17,010
‫use the KMS service

105
00:04:17,010 --> 00:04:19,800
‫and we want to allow a decrypt operation.

106
00:04:19,800 --> 00:04:21,710
‫So this API call

107
00:04:21,710 --> 00:04:25,440
‫and we need to specify a specific key ARN to

108
00:04:25,440 --> 00:04:26,280
‫be able to decrypt that.

109
00:04:26,280 --> 00:04:28,260
‫So when you get the key ARN,

110
00:04:28,260 --> 00:04:32,120
‫we can get it directly from the console of KMS.

111
00:04:32,120 --> 00:04:35,400
‫So this is the full key ARN that we're going to copy

112
00:04:35,400 --> 00:04:39,600
‫and then paste here, and add this.

113
00:04:39,600 --> 00:04:42,110
‫Then review this policy, call it,

114
00:04:42,110 --> 00:04:47,110
‫allow decrypt KMS, create this policy.

115
00:04:47,520 --> 00:04:48,360
‫And now we're good to go.

116
00:04:48,360 --> 00:04:51,290
‫We have a managed policy and an inland policy.

117
00:04:51,290 --> 00:04:55,410
‫So now if I go back to my code and test my function

118
00:04:55,410 --> 00:04:57,890
‫hopefully we are going to get a success because now

119
00:04:57,890 --> 00:05:01,150
‫my function can decrypt the KMS and yes, it was successful.

120
00:05:01,150 --> 00:05:02,840
‫So the result is great.

121
00:05:02,840 --> 00:05:05,150
‫And if we look at the log lines

122
00:05:05,150 --> 00:05:08,309
‫this is the encrypted environment variable that was passed

123
00:05:08,309 --> 00:05:12,540
‫to my Lambda function as an encrypted secrets.

124
00:05:12,540 --> 00:05:14,730
‫Then this is the decrypted value, super secret.

125
00:05:14,730 --> 00:05:16,420
‫And then we get the end of the request.

126
00:05:16,420 --> 00:05:18,030
‫So using this method

127
00:05:18,030 --> 00:05:22,050
‫we have a code that doesn't show any information

128
00:05:22,050 --> 00:05:25,130
‫about the environment variable or the password itself.

129
00:05:25,130 --> 00:05:26,696
‫And then if we go into the configuration

130
00:05:26,696 --> 00:05:28,500
‫and look at the environment variables

131
00:05:28,500 --> 00:05:30,356
‫anyone who doesn't have access

132
00:05:30,356 --> 00:05:34,980
‫to the KMS key right here will not be able to decrypt this.

133
00:05:34,980 --> 00:05:37,020
‫And so the database password will be kept safe.

134
00:05:37,020 --> 00:05:38,330
‫So that's when we are doing it

135
00:05:38,330 --> 00:05:39,830
‫but this shows a cool integration

136
00:05:39,830 --> 00:05:42,320
‫between Lambda and KMS in this lecture.

137
00:05:42,320 --> 00:05:43,670
‫So I hope you liked it.

138
00:05:43,670 --> 00:05:45,620
‫And I will see you in the next lecture.