How should the security team securely store the API key?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company’s policy requires that all API keys be encrypted and stored separately from source code in a centralized security account.This security account is managed by the company’s security team.However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWSCodeCommit repository in the DevOps account.

How should the security team securely store the API key?

Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) for encryption. Require the development team to migrate the Lambda source code to this repository.

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key. Create a presigned URL for the S3 key, and specify the URL in a Lambda environmental variable in the AWS CloudFormation template. Update the Lambda function code to retrieve the key using the URL and call the API.

Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API.

Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime.

Explanations:

Storing the API key in a CodeCommit repository is not a secure practice, even if encryption via AWS KMS is used. CodeCommit repositories are designed for source code and not for sensitive data storage like API keys.

Using an S3 bucket with a presigned URL is not ideal for securely storing API keys. While S3 encryption could be used, the presigned URL exposes the key to risks, and this approach does not align with best practices for managing sensitive data like API keys.

AWS Secrets Manager is the best solution for securely storing API keys. It is designed for this purpose, and using KMS for encryption ensures the key is securely stored. The Lambda function can securely retrieve the key with appropriate IAM permissions.

Although environment variables are convenient for storing sensitive data, storing an API key directly as an encrypted environment variable is not as secure as using AWS Secrets Manager. Secrets Manager provides better control and audit capabilities.

2025-10-15

1 Comment

  1. Isaac
    Author

    I organize that the answer is:
    Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 2 =