Skip to content

Lambda function's environment variables expose secrets

Description

A function's metadata includes environment variable fields that contain small configurations that help the function execute. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and cannot be encrypted. Lambda runtime makes environment variables available without passing secrets in code or environment variables.

We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.

Fix - Runtime

CLI Command

To see the secrets, run the following CLI command:

aws lambda get-function-configuration 
--region <REGION> 
--function-name <FUNCTION_NAME> 
--query Environment.Variables

Fix - Buildtime

CloudFormation

  • Resource: AWS::Lambda::Function
  • Argument: Properties.Environment.Variables
Type: AWS::Lambda::Function
    Properties:
        ...
        Environment:
            Variables:
                key1: not_a_secret
-           key2: secret

Fix - Buildtime

Terraform

  • Resource: aws_lambda_function
  • Argument Block Environment Attribute variables

```go aws_lambda_function.fail.tf resource "aws_lambda_function" "fail" { function_name = "test-env" role = "" runtime = "python3.8"

environment { variables = { - AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE", - AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", - AWS_DEFAULT_REGION = "us-west-2" } } } ```

In this case the permissions would be better being added to an IAM Role.