diff --git a/.github/workflows/s3_mpeg.yml b/.github/workflows/s3_mpeg.yml
index 6ad07e4b1..c781728f5 100644
--- a/.github/workflows/s3_mpeg.yml
+++ b/.github/workflows/s3_mpeg.yml
@@ -48,7 +48,7 @@ jobs:
             {
               "identifier": "s3-mpeg-staging",
               "environment": "staging",
-              "branch": "develop",
+              "branch": "fix_s3mpeg_lambda",
               "friendly_image_tag": "beta",
               "image_tag": "stag-${{ github.sha }}"
             },
diff --git a/components/s3_mpeg/Gemfile b/components/s3_mpeg/Gemfile
index 7c370c865..2c4f0d4dc 100644
--- a/components/s3_mpeg/Gemfile
+++ b/components/s3_mpeg/Gemfile
@@ -5,6 +5,7 @@ source "https://rubygems.org"
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 gem "aws-sdk-s3"
+gem "aws-sdk-ssm"
 gem "ox" # XML parser. required by aws-sdk-s3
 gem "stackprof"
 gem "sentry-ruby"
diff --git a/components/s3_mpeg/Gemfile.lock b/components/s3_mpeg/Gemfile.lock
index da40b4fbd..10ddc99ff 100644
--- a/components/s3_mpeg/Gemfile.lock
+++ b/components/s3_mpeg/Gemfile.lock
@@ -15,6 +15,9 @@ GEM
       aws-sdk-core (~> 3, >= 3.205.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
+    aws-sdk-ssm (1.178.0)
+      aws-sdk-core (~> 3, >= 3.205.0)
+      aws-sigv4 (~> 1.5)
     aws-sigv4 (1.9.1)
       aws-eventstream (~> 1, >= 1.0.2)
     base64 (0.2.0)
@@ -58,6 +61,7 @@ PLATFORMS
 
 DEPENDENCIES
   aws-sdk-s3
+  aws-sdk-ssm
   base64
   ox
   rake
diff --git a/components/s3_mpeg/app.rb b/components/s3_mpeg/app.rb
index c85e24d02..dce33617a 100644
--- a/components/s3_mpeg/app.rb
+++ b/components/s3_mpeg/app.rb
@@ -2,6 +2,8 @@
 require "open3"
 require "securerandom"
 
+require_relative "config/application"
+
 module App
   class Handler
     attr_reader :event, :context, :s3_client
diff --git a/components/s3_mpeg/config/application.rb b/components/s3_mpeg/config/application.rb
new file mode 100644
index 000000000..481c44037
--- /dev/null
+++ b/components/s3_mpeg/config/application.rb
@@ -0,0 +1,11 @@
+require "bundler"
+Bundler.require(:default)
+
+require_relative "app_settings"
+require_relative "initializers/aws_stubs"
+
+Dir["#{File.dirname(__FILE__)}/../lib/**/*.rb"].each { |f| require f }
+
+EncryptedEnvironmentVariables.new.decrypt
+
+Dir["#{File.dirname(__FILE__)}/**/*.rb"].each { |f| require f }
diff --git a/components/s3_mpeg/config/initializers/aws_stubs.rb b/components/s3_mpeg/config/initializers/aws_stubs.rb
new file mode 100644
index 000000000..1909b2b73
--- /dev/null
+++ b/components/s3_mpeg/config/initializers/aws_stubs.rb
@@ -0,0 +1,16 @@
+if %w[development test].include?(AppSettings.env)
+  Aws.config[:ssm] = {
+    stub_responses: {
+      get_parameters: lambda { |context|
+        {
+          parameters: context.params[:names].map do |name|
+            Aws::SSM::Types::Parameter.new(
+              name:,
+              value: name.delete_prefix("ssm-parameter-name-")
+            )
+          end
+        }
+      }
+    }
+  }
+end
diff --git a/components/s3_mpeg/lib/encrypted_environment_variables.rb b/components/s3_mpeg/lib/encrypted_environment_variables.rb
new file mode 100644
index 000000000..d1a0da919
--- /dev/null
+++ b/components/s3_mpeg/lib/encrypted_environment_variables.rb
@@ -0,0 +1,36 @@
+require "aws-sdk-ssm"
+
+class EncryptedEnvironmentVariables
+  attr_reader :ssm_client, :environment
+
+  SSM_PARAMETER_NAME_PATTERN = "_SSM_PARAMETER_NAME".freeze
+
+  def initialize(ssm_client: Aws::SSM::Client.new, environment: ENV)
+    @ssm_client = ssm_client
+    @environment = environment
+  end
+
+  def decrypt
+    return if ssm_parameter_names.empty?
+
+    decryption_result = decrypt_parameters(ssm_parameter_names.values)
+    set_env_from_parameters(decryption_result.parameters)
+  end
+
+  private
+
+  def ssm_parameter_names
+    @ssm_parameter_names ||= environment.select { |key, _| key.end_with?(SSM_PARAMETER_NAME_PATTERN) }
+  end
+
+  def decrypt_parameters(names)
+    ssm_client.get_parameters(names:, with_decryption: true)
+  end
+
+  def set_env_from_parameters(parameters)
+    ssm_parameter_names.each do |name, value|
+      env_name = name.delete_suffix(SSM_PARAMETER_NAME_PATTERN)
+      environment[env_name] = parameters.find { |parameter| parameter.name == value }.value
+    end
+  end
+end
diff --git a/components/services/config/initializers/aws_stubs.rb b/components/services/config/initializers/aws_stubs.rb
index 6ef4ee8e1..8e1a688c9 100644
--- a/components/services/config/initializers/aws_stubs.rb
+++ b/components/services/config/initializers/aws_stubs.rb
@@ -1,5 +1,3 @@
-require "aws-sdk-core"
-
 if %w[development test].include?(AppSettings.env)
   Aws.config[:ssm] = {
     stub_responses: {
diff --git a/infrastructure/modules/s3_mpeg/lambda.tf b/infrastructure/modules/s3_mpeg/lambda.tf
index a0ffbc26c..336360f6e 100644
--- a/infrastructure/modules/s3_mpeg/lambda.tf
+++ b/infrastructure/modules/s3_mpeg/lambda.tf
@@ -7,6 +7,13 @@ resource "aws_lambda_function" "this" {
   timeout       = 300
   memory_size   = 1024
 
+  environment {
+    variables = {
+      APP_MASTER_KEY_SSM_PARAMETER_NAME = aws_ssm_parameter.application_master_key.name
+      APP_ENV                           = var.app_environment
+    }
+  }
+
   depends_on = [
     aws_iam_role_policy_attachment.this,
     aws_cloudwatch_log_group.this