Ensure Lambda function's environment variables do not expose secrets

Error: Lambda function's environment variables expose secrets

Bridgecrew Policy ID: BC_AWS_SECRETS_3
Checkov Check ID: CKV_AWS_45
Severity: HIGH

Lambda function's environment variables expose secrets

Description

A function's metadata includes environment variable fields that contain small configurations that help the function execute. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and cannot be encrypted. Lambda runtime makes environment variables available without passing secrets in code or environment variables.

We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.

Fix - Runtime

CLI Command

To see the secrets, run the following CLI command:

aws lambda get-function-configuration 
--region <REGION> 
--function-name <FUNCTION_NAME> 
--query Environment.Variables

Fix - Buildtime

CloudFormation

  • Resource: AWS::Lambda::Function
  • Argument: Properties.Environment.Variables
Type: AWS::Lambda::Function
    Properties:
        ...
        Environment:
            Variables:
                key1: not_a_secret
-           key2: secret

Did this page help you?