Detections
Analytics

Ensure environment variables do not use AWS secret keys, access keys, or access tokens for AWS Lambda Functions

HIGH

Description

Storing credentials in environment variables with identifiable names can pose a significant security risk by exposing resources to unauthorized access. Attackers can exploit this vulnerability to gain access to sensitive data or systems, leading to potential data breaches and other security incidents. To reduce this risk, it is recommended to use a dedicated secret manager or key management service to store credentials securely. Such services provide additional layers of security, such as encryption and access controls, that can help to prevent unauthorized access to sensitive information. By following this recommendation, organizations can improve the overall security posture of their systems and reduce the likelihood of security incidents.

Remediation

AWS Lambda functions have the ability to use Secrets Manager to authenticate to other AWS resources. To configure Lambda functions to use Secrets Manager, see the AWS documentation (below).

In AWS Console -

  1. Sign in to AWS Console and go to the Functions page on the Lambda console.
  2. Choose a function to update.
  3. Select Configuration and then Environment variables.
  4. Choose the variable to update and select Edit.
  5. Reconfigure the variable as necessary.
  6. Select Save.

In Terraform:

  1. In the aws_lambda_function resource, if an environment block is used for variables, update accordingly.

References:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html
https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function

Policy Details

Rule Reference ID: AC_AWS_0165
CSP: AWS
Remediation Available: No
Domain: Identity and Access Management
Resource: aws_lambda_function
Resource Category: Serverless
Resource Type: Lambda

Frameworks