Updating encryption for lambda env vars - cont

[mourya-33]

Feature or Bugfix

• Bugfix

Detail

Adding encryption with KMS for lambda environment variables

Relates

• Enable encryption for environment variables in lambdas - cont #1319

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes
  fetching data from storage outside the application (e.g. a database, an S3 bucket)? N/A
  • Is the input sanitized? N/A
  • What precautions are you taking before deserializing the data you consume? N/A
  • Is injection prevented by parametrizing queries? N/A
  • Have you ensured no eval or similar functions are used? N/A
• Does this PR introduce any functionality or component that requires authorization? N/A
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms? N/A
  • Are you logging failed auth attempts? N/A
• Are you using or adding any cryptographic features? Adding KMS key for encrypting lambda env vars for trigger functions and cognito functions
  • Do you use a standard proven implementations?
  • Are the used keys controlled by the customer? Where are they stored? N/A
• Are you introducing any new policies/roles/users? N/A
  • Have you used the least-privilege principle? How? N/A

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[noah-paige]

Hi @mourya-33 - these changes look good but is there any reason you did not also pass lambda_env_key to the SavePerms TriggerFunctionStack?

Or also the TriggerFunction-CognitoConfig trigger function in cognito.py?

[petrkalos]

lgtm!

qq, how did you realise that there were unencrypted env vars? did you use some automation?

[fourtyplustwo]

@petrkalos checkov scans... Which we need to add into data.all and to scan synthesized CDK stacks .. It's one of the logged tasks.