Securing Environmental Variables


I’m pretty new to Serverless so sorry if this has been asked a thousand time already.

I noticed that when I import SSM encrypted parameters as environmental variables in my serverless.yml ( ${ssm:secret~true} ) they are compiled to plain text and placed in the Cloudformation template as well as in the Lambda Environmental variables for anyone to see. This feels like a pretty glaring security flaw. Is there a way to keep Environmental variables hidden and decrypted at deployment?

I realize I could just load the SSM keys inside my Lambda handler but this would add additional time to each request which I’m trying to avoid.


I found the serverless-kms-secrets along with this article. These look promising but I’m still decrypting with each invocation which I’d like to avoid.