Lambda function KMS issue

Would suggest take a look at the following:

1. Verify KMS Key Policy – Ensure that the Lambda function's IAM role has the necessary permissions (kms:Decrypt, kms:DescribeKey) for the KMS key.
2. Check IAM Role Association – If the Lambda function was destroyed and recreated, its IAM role may have changed. Confirm that the correct role is assigned.
3. Use AWS Managed Key – If you're using a customer-managed KMS key, try switching to the default AWS-managed key (aws/lambda).
4. Reapply Terraform Configuration – Sometimes, re-running terraform apply can resolve inconsistencies.
5. Manually Reassign KMS Key – In the AWS console, navigate to Lambda > Configuration > Environment Variables, and reassign the KMS key.

https://github.com/hashicorp/terraform-provider-aws/issues/6352

https://stackoverflow.com/questions/69473114/why-is-aws-lambda-getting-accessdeniedexceptionkms-error-message

❌ Error: "Lambda was unable to decrypt the environment variables because KMS access was denied. Please check the function's KMS key settings."

✅ Cause This error usually happens when: Your Lambda's IAM execution role does not have permission to access the KMS key used to encrypt environment variables. After you destroyed and recreated the Lambda using Terraform, the IAM role or KMS key association changed. If you’re using a Customer Managed Key (CMK) in KMS, you must explicitly grant access to the Lambda function's role.

https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html