AWS-Lambda-Functions-Contain-Secrets

Owned by naveen
Last updated: Jan 27, 2022
2 min read

Severity : Medium

Description: This control ensures that Lambda function code does not contain the secrets like API keys, credentials for databases. Best security practice recommend that lambda function code must not use secrets like API keys, password etc in the code. Lambda code should access the secrets in stored in dedicated services like AWS Secret Manager or AWS system Manager Parameter store.

Remediation Steps:

Perform following to store secrets in Secret Manager and used by lambda :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

Create the secret in the Secret Manager for instances :

  1. Navigate to Secret Manager console.

  2. Select Secrets and Store a new secret.

  3. In navigation select Instances and the select the instance reported.

  4. Under Secret Type, select other type secret and specify key value pair.

  5. Select Next. Enter Name for secret and Description.

Create IAM role with secret access policy for instances:

  1. Navigate to IAM console.

  2. Select Roles and select Create Role.

  3. If EC2 instance role already created, Add Policy to get the secret as below. If role doesn’t exist Create Role for EC2 instances. The Policy in the role

    1. { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue" ], "Resource": <Key ARN in Secrete Manager>, "Effect": "Allow" } ] }

       

Update Lambda permission to use above role and remove secret from lambda function :

  1. Navigate to Lambda function console.

  2. In navigation, Select Functions.

  3. Select the function reported from the list of functions.

  4. If lambda function doesn’t have any role, Select Execution Role and select Edit. Under Basic Settings in existing Role, Select the role created above

  5. In case lambda function have a role, Update the Existing role with the Policy in the above role to have lambda function access the secret key.

  6. Choose Save to save changes.

  7. In navigation, Select Environment variables. Select Edit and add name of secret key in the environment variable.

  8. Update the Lambda function code to remove the secret and add code to fetch secret using Secret manager SDK.

Important:

Reference :

 

Blue Hexagon Proprietary