Ensure no hard-coded secrets exist in lambda environment

ID

lambda_environment_credentials

Severity

critical

Vendor

AWS

Resource

AWS Lambda

Tags

reachable

Description

AWS Lambda is a compute service that lets you run code without provisioning or managing servers.

Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging.

You can use environment variables to adjust your function’s behavior without updating code. An environment variable is a pair of strings that is stored in a function’s version-specific configuration. The Lambda runtime makes environment variables available to your code and sets additional environment variables that contain information about the function and invocation request.

Any existing configuration with read permissions over the EC2 would have access to these variables since it’s not encrypted.

Credentials should be removed to avoid sensible data being exposed to third parties.

Examples

CloudFormation

{
  "Resources": {
    "Dummy": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Runtime": "nodejs12.x",
        "Role": "arn:aws:iam::123456789012:role/lambda-role",
        "Handler": "index.handler",
        "Environment": {
          "Variables": { (1)
            "secret_key": "AKIAAAAAAAAAAAAAAAAA"
          }
        }
      }
    }
  }
}
1 Variables contains hardcoded credentials. 
Resources:
  Dummy:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: nodejs12.x
      Role: arn:aws:iam::123456789012:role/lambda-role
      Handler: index.handler
      Environment:
        Variables: (1)
          secret_key: AKIAAAAAAAAAAAAAAAAA
1 Variables contains hardcoded credentials.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "Dummy": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Runtime": "nodejs12.x",
        "Role": "arn:aws:iam::123456789012:role/lambda-role",
        "Handler": "index.handler",
        "Environment": {
          "Variables": { (1)
            "var": "notASecret"
          }
        }
      }
    }
  }
}
1 Do not hardcode credentials into the Variables property. 
Resources:
  Dummy:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: nodejs12.x
      Role: arn:aws:iam::123456789012:role/lambda-role
      Handler: index.handler
      Environment:
        Variables: (1)
          var: notASecret
1 Do not hardcode credentials into the Variables property.

Runtime

CLI Command

Secrets can be reviewed with the following CLI command:

aws lambda get-function-configuration --region <region> --function-name <function-name> --query Environment.Variables