AWS-Lambda-Variables-Contain-Secrets

Severity : High

Description: This control ensures that Lambda environment variables does not contain the secrets in clear. Lambda variables can be used to configure dynamic and frequently changed setting in a Lambda Function in order to change function's behavior without actually changing the function code. These variables can contain sensitive information such as database connection info and should be protected when stored. Using a CMK instead of AWS default key provides better management capabilities over KMS key used to encrypt the variables.

Remediation Steps:

Perform following to encrypt environment variable at-rest for lambda :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to AWS Lambda console.

3. In the navigation pane,  select Functions.

4. Select the function to be modified.

5. Navigate to Environment Variables.

6. Under AWS KMS key to encrypt at rest, choose Use a customer master key.

7. Select the KMS key of choice.

8. Click Save changes to apply.

Important:

Reference:

• https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html