So here is my initial investigation.
The serverless example:
https://github.com/serverless/examples/tree/master/aws-node-env-variables-encrypted-in-a-file is still a security problem here because it passes the unencrypted ENV variable as a cloudformation template and you can see the unencrypted value in the console. I'm not even sure if there is a way with cloudformation to "Add encryption helpers and use this key" so github issue 2996 might not even be possible.
https://github.com/marcy-terui/serverless-crypt gives you runtime encryption but not using encrypted environment variables, you create a file (.serverless-secret.json) via the plugin hooks and the CipherText is decrypted at runtime by an injected module slscrypt. This is the most secure and complete way of doing it but unfortunately it isn't using ENV variables and will cost you a call to the KMS API.
What would be awesome is if you could add encrypted ENV variables that were encrypted by the aws/lambda key to your cloudformation template and they were automatically decrypted runtime. This doesn't seem possible because you can't use the aws/lambda key to encrypt anything.
JimJimovich might be able to give a bit more information on exactly how he went about using awscli to encrypt env vars.