AWS Lambda uses AWS Key Management Service (KMS) to encrypt the environment variables. When you invoke the Lambda function, these values will be decrypted and available in the Lambda code. When you create or update your first Lambda function in a region that uses environment variables, then it will create the default service key automatically within AWS KMS. This key will encrypt the environment variables.
You can also add the AWS KMS key after the Lambda function is created, but in that case you cannot select the default key. If this is the case, you will get billed when you use your own key, but not ...