Ensure Lambda function's environment variables do not expose secrets

Error: Lambda function's environment variables expose secrets

Bridgecrew Policy ID: BC_AWS_SECRETS_3
Checkov Check ID: CKV_AWS_45
Severity: HIGH

Lambda function's environment variables expose secrets

Description

A function's metadata includes environment variable fields that contain small configurations that help the function execute. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and cannot be encrypted. Lambda runtime makes environment variables available without passing secrets in code or environment variables.

We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.

Fix - Runtime

CLI Command

To see the secrets, run the following CLI command:

aws lambda get-function-configuration 
--region <REGION> 
--function-name <FUNCTION_NAME> 
--query Environment.Variables

Fix - Buildtime

CloudFormation

  • Resource: AWS::Lambda::Function
  • Argument: Properties.Environment.Variables
Type: AWS::Lambda::Function
	Properties:
		...
		Environment:
			Variables:
				key1: not_a_secret
- 			key2: secret

Fix - Buildtime

Terraform

  • Resource: aws_lambda_function
  • Argument Block Environment Attribute variables
resource "aws_lambda_function" "fail" {
  function_name = "test-env"
  role = ""
  runtime = "python3.8"

  environment {
    variables = {
-      AWS_ACCESS_KEY_ID     = "AKIAIOSFODNN7EXAMPLE",
-      AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-      AWS_DEFAULT_REGION    = "us-west-2"
     }
  }
}

In this case the permissions would be better being added to an IAM Role.