Using AWS KMS to Encrypt Values in CloudFormation Stacks
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Using AWS KMS to Encrypt Values in CloudFormation Stacks

This repository contains an AWS Lambda-backed custom resource for AWS CloudFormation. The custom resource will encrypt values using AWS Key Management Service (KMS) and make the ecrypted version available to the template.

The included example CloudFormation template (lambda-backed-cloud-formation-kms-encryption.template) demonstrates the usage of the custom resource.

For additional information, please read the in-depth article on implementing this custom resource at [] (


    "Type": "AWS::CloudFormation::CustomResource",
    "Version": "1.0",
    "Properties": {
      "ServiceToken": String,
      "KeyId": String,
      "PlainText": String



The ARN of the AWS Lambda function backing the custom resource.


The plain text value that should be encrypted.


The key ID of the AWS KMS key that should be used to encrypt the value provided in PlainText. Note that the Lambda function backing this custom resource must have encrypt permissions for the specified key.

Return Values


When you provide the custom resource's logical name to the Ref intrinsic function, a GUID will be returned. This value has no meaning whatsoever, and is only supplied because CloudFormation requires a value.

For more information about using the Ref function, see [Ref] (


Fn::GetAtt returns a value for a specified attribute of this type. This section lists the available attributes and sample return values.

  • CipherText: The Base64 encoded, encrypted format of the value that was supplied for the PlainText property.

For more information about using Fn::GetAtt, see [Fn::GetAtt] (