AWS Lambda functions environment variables can be encrypted using a customer managed key rather than an AWS managed key. This gives customers greater control over key management and is advisable where possible within the AWS ecosystem.
In AWS Console -
In Terraform:
References:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#kms_key_arn