About
Lambda functions allow you to define environment variables containing hardcoded values that are passed to the function code at runtime. If sensitive values are hardcoded in the environment variables, they can be exposed to unintended parties.
Understanding Impact
Business Impact
Credentials and sensitive tokens misplaced in Lambda function environment variables can lead to unauthorized access to your AWS resources. This can result in data breaches, financial loss, and reputational damage.
Technical Impact
Anyone with permissions such as lambda:GetFunction, lambda:GetFunctionConfiguration or lambda:ListFunctions permissions can view the environment variables of a Lambda function. These are highly popular permissions that are part of managed policies such as ViewOnlyAccess or SecurityAudit.
Identify affected resources
You can use lambda:ListFunctions to analyze the environment variables of all Lambda functions in a region. The following command will list all Lambda functions and their environment variables:
aws lambda list-functions |
jq '{FunctionName: .Functions[].FunctionName, EnvironmentVariables: .Functions[].Environment.Variables}' -e
Remediate vulnerable resources
Remove sensitive values from Lambda function environment variables. Instead, use AWS Secrets Manager or AWS Systems Manager Parameter Store to store sensitive values and reference them in the Lambda function.
References
Lambda function environment variables
aws documentation
Securing Lambda environment variables
aws documentation