diff --git a/lib/plugins/aws/deployFunction.js b/lib/plugins/aws/deployFunction.js
index 0789e435d..7c71cb924 100644
--- a/lib/plugins/aws/deployFunction.js
+++ b/lib/plugins/aws/deployFunction.js
@@ -26,6 +26,23 @@ class AwsDeployFunction {
         await this.validate();
         await this.checkIfFunctionExists();
         this.checkIfFunctionChangesBetweenImageAndHandler();
+
+        if (_.get(this.serverless.service.serviceObject, 'awsKmsKeyArn')) {
+          this.serverless._logDeprecation(
+            'AWS_KMS_KEY_ARN',
+            'Starting with next major version, ' +
+              '"awsKmsKeyArn" service property will be replaced by "provider.kmsKeyArn"'
+          );
+        }
+        if (
+          Object.values(this.serverless.service.functions).some(({ awsKmsKeyArn }) => awsKmsKeyArn)
+        ) {
+          this.serverless._logDeprecation(
+            'AWS_KMS_KEY_ARN',
+            'Starting with next major version, ' +
+              '"awsKmsKeyArn" function property will be replaced by "kmsKeyArn"'
+          );
+        }
       },
 
       'deploy:function:packageFunction': () =>
@@ -152,10 +169,14 @@ class AwsDeployFunction {
       FunctionName: functionObj.name,
     };
 
-    if (functionObj.awsKmsKeyArn && !_.isObject(functionObj.awsKmsKeyArn)) {
-      params.KMSKeyArn = functionObj.awsKmsKeyArn;
-    } else if (serviceObj.awsKmsKeyArn && !_.isObject(serviceObj.awsKmsKeyArn)) {
-      params.KMSKeyArn = serviceObj.awsKmsKeyArn;
+    const kmsKeyArn =
+      functionObj.kmsKeyArn ||
+      providerObj.kmsKeyArn ||
+      functionObj.awsKmsKeyArn ||
+      serviceObj.awsKmsKeyArn;
+
+    if (kmsKeyArn) {
+      params.KMSKeyArn = kmsKeyArn;
     }
 
     if (params.KMSKeyArn && params.KMSKeyArn === remoteFunctionConfiguration.KMSKeyArn) {
diff --git a/test/unit/lib/plugins/aws/deployFunction.test.js b/test/unit/lib/plugins/aws/deployFunction.test.js
index aa92bb25e..96c84abb2 100644
--- a/test/unit/lib/plugins/aws/deployFunction.test.js
+++ b/test/unit/lib/plugins/aws/deployFunction.test.js
@@ -7,8 +7,8 @@ const fs = require('fs');
 const proxyquire = require('proxyquire');
 const AwsProvider = require('../../../../../lib/plugins/aws/provider');
 const Serverless = require('../../../../../lib/Serverless');
-const { getTmpDirPath } = require('../../../../utils/fs');
 const runServerless = require('../../../../utils/run-serverless');
+const { getTmpDirPath } = require('../../../../utils/fs');
 
 chai.use(require('chai-as-promised'));
 chai.use(require('sinon-chai'));
@@ -37,6 +37,7 @@ describe('AwsDeployFunction', () => {
         },
       },
     };
+    serverless.service.serviceObject = {};
     serverless.service.functions = {
       first: {
         handler: true,
@@ -804,4 +805,110 @@ describe('test/unit/lib/plugins/aws/deployFunction.test.js', () => {
       'Configuration did not change. Skipping function configuration update.'
     );
   });
+
+  it('configuration uses the "kmsKeyArn" instead of functionObj.awsKmsKeyArn', async () => {
+    await runServerless({
+      fixture: 'function',
+      cliArgs: ['deploy', 'function', '--function', 'foo'],
+      lastLifecycleHookName: 'deploy:function:deploy',
+      awsRequestStubMap,
+      configExt: {
+        functions: {
+          foo: {
+            handler: 'index.handler',
+            name: 'foobar',
+            awsKmsKeyArn: 'arn:aws:kms:us-east-1:oldKey',
+          },
+        },
+        provider: {
+          kmsKeyArn: 'arn:aws:kms:us-east-1:newKey',
+        },
+      },
+    });
+
+    sinon.assert.calledWith(updateFunctionConfigurationStub, {
+      Handler: 'index.handler',
+      FunctionName: 'foobar',
+      KMSKeyArn: 'arn:aws:kms:us-east-1:newKey',
+    });
+  });
+
+  it('configuration uses the "kmsKeyArn" instead of serviceObj.awsKmsKeyArn', async () => {
+    await runServerless({
+      fixture: 'function',
+      cliArgs: ['deploy', 'function', '--function', 'foo'],
+      lastLifecycleHookName: 'deploy:function:deploy',
+      awsRequestStubMap,
+      configExt: {
+        functions: {
+          foo: {
+            handler: 'index.handler',
+            name: 'foobar',
+            kmsKeyArn: 'arn:aws:kms:us-east-1:newKey',
+          },
+        },
+        service: {
+          name: 'service',
+          awsKmsKeyArn: 'arn:aws:kms:us-east-1:oldKey',
+        },
+      },
+    });
+
+    sinon.assert.calledWith(updateFunctionConfigurationStub, {
+      Handler: 'index.handler',
+      FunctionName: 'foobar',
+      KMSKeyArn: 'arn:aws:kms:us-east-1:newKey',
+    });
+  });
+
+  it('configuration uses serviceObj.awsKmsKeyArn if no kmsKeyArn provided', async () => {
+    await runServerless({
+      fixture: 'function',
+      cliArgs: ['deploy', 'function', '--function', 'foo'],
+      lastLifecycleHookName: 'deploy:function:deploy',
+      awsRequestStubMap,
+      configExt: {
+        functions: {
+          foo: {
+            handler: 'index.handler',
+            name: 'foobar',
+          },
+        },
+        service: {
+          name: 'service',
+          awsKmsKeyArn: 'arn:aws:kms:us-east-1:oldKey',
+        },
+      },
+    });
+
+    sinon.assert.calledWith(updateFunctionConfigurationStub, {
+      Handler: 'index.handler',
+      FunctionName: 'foobar',
+      KMSKeyArn: 'arn:aws:kms:us-east-1:oldKey',
+    });
+  });
+
+  it('configuration uses functionObj.awsKmsKeyArn and if kmsKeyArn not provided', async () => {
+    await runServerless({
+      fixture: 'function',
+      cliArgs: ['deploy', 'function', '--function', 'foo'],
+      lastLifecycleHookName: 'deploy:function:deploy',
+      awsRequestStubMap,
+      configExt: {
+        functions: {
+          foo: {
+            handler: 'index.handler',
+            name: 'foobar',
+            awsKmsKeyArn: 'arn:aws:kms:us-east-1:oldKey',
+          },
+        },
+      },
+    });
+
+    sinon.assert.calledWith(updateFunctionConfigurationStub, {
+      Handler: 'index.handler',
+      FunctionName: 'foobar',
+      KMSKeyArn: 'arn:aws:kms:us-east-1:oldKey',
+    });
+  });
 });