Secrets exposed in Lambda function environment variables







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Lambda functions allow you to define environment variables containing hardcoded values that are passed to the function code at runtime. If sensitive values are hardcoded in the environment variables, they can be exposed to unintended parties.

Understanding Impact

Business Impact

Credentials and sensitive tokens misplaced in Lambda function environment variables can lead to unauthorized access to your AWS resources. This can result in data breaches, financial loss, and reputational damage.

Technical Impact

Anyone with permissions such as lambda:GetFunction, lambda:GetFunctionConfiguration or lambda:ListFunctions permissions can view the environment variables of a Lambda function. These are highly popular permissions that are part of managed policies such as ViewOnlyAccess or SecurityAudit.

Identify affected resources

You can use lambda:ListFunctions to analyze the environment variables of all Lambda functions in a region. The following command will list all Lambda functions and their environment variables:

aws lambda list-functions | 
  jq '{FunctionName: .Functions[].FunctionName, EnvironmentVariables: .Functions[].Environment.Variables}' -e

Remediate vulnerable resources

Remove sensitive values from Lambda function environment variables. Instead, use AWS Secrets Manager or AWS Systems Manager Parameter Store to store sensitive values and reference them in the Lambda function.


Lambda function environment variables

aws documentation

Securing Lambda environment variables

aws documentation

Did you find this article helpful?