iCompaas - Ensure there are no secrets in Lambda functions code : iCompaas Support

Description:

Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.

AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. Lambda runs your code on high availability compute infrastructure and performs all the administration of your compute resources.

Rationale:

Make sure data sent has no personal info or sensitive information sent to or from the Lambda functions code. For this function to work we need to make AWS Secrets Manager so that all the data can be properly traced.

Impact:

We can have a lambda functions code without any secrets.

Default value:

By default, lambda function and Secrets Manager are disabled.

Pre-Requisite:

In order to grant a Lambda function access to Secrets Manager, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the actions

the function needs to perform on the secrets.

Remediation:

Test Plan:

AWS Console Process

Open the Functions page of the Lambda console.
Choose the name of a function.
Choose Configuration, and then choose Permissions.
Under Resource summary, review the services and resources that the function can access.
Choose a service from the dropdown list to see permissions related to that service.6. Check the attached IAM Role has secrets manager policy.
7. You can add or remove permissions from a function's execution role at any time or configure your function to use a different role.

Using AWS CLI

The following command lists the lambda function details we can see the permissions of that function.

 aws lambda list-functions
[--master-region <value>]
[--function-version <value>]

Implementation Plan:

AWS Console Process

Open the Functions page of the Lambda console.
Choose the name of a function.
Choose Configuration, and then choose Permissions.
Under Resource summary, review the services and resources that the function can access.
Choose a service from the dropdown list to see permissions related to that service.
Select permissions to the Lambda execution role to be able to access secrets: secretsmanager:GetSecretValue and delete it.
(Optional) we can delete the secret in the Secrets Manager.
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
In the list of secrets, choose the secret you want to delete.
In the Secret details section, choose Actions, and then choose Delete secret.

Using AWS CLI

The following remove-permission command removes permission.

aws lambda remove-permission 
    --function-name <my-function> \

The following delete-secret example deletes a secret and mention the secret-id value to delete the particular secret.
```
aws secretsmanager delete-secret 
    --secret-id <id-value> 
```
Backout Plan:
- AWS Console Process
1. Open the Functions page of the Lambda console.
2. Choose the name of a function.
3. Choose Configuration, and then choose Permissions.
4. Under Resource summary, review the services and resources that the function can access.
5. Choose a service from the dropdown list to see permissions related to that service.
6. Add permissions from a function's execution role or configure your function to use a different role.
7. (Optional) If you deleted the secret in the Secrets Manager you need to cancel secret deletion.
8. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
9. In the list of secrets, choose the secret you want to restore.
10. If deleted secrets don't appear in your list of secrets, choose Preferences. In the Preferences dialog box, select Show disabled secrets, and then choose Save
11. On the Secret details page, choose Cancel deletion.
12. In the Cancel secret deletion dialog box, choose Cancel deletion.
Using AWS CLI

The following add-permission grants the specified service permission to invoke a function named.
```
aws lambda add-permission 
    --function-name <my-function> 
    --action lambda:InvokeFunction 
    --principal <source arn>
```
2. The following restore-secret restores a secret that was previously scheduled for deletion.
```
aws secretsmanager restore-secret \
    --secret-id <secret id>
```
References:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html

iCompaas Support

Ensure there are no secrets in Lambda functions code Print

Impact:

Default value:

Pre-Requisite:

Remediation:

Test Plan:

Backout Plan:

References:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html

https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html

Ensure there are no secrets in Lambda functions code Print

Impact:

Default value:

Pre-Requisite:

Remediation:

Test Plan:

Backout Plan:

References:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.htmlhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.htmlhttps://docs.aws.amazon.com/cli/latest/reference/lambda/index.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html

https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html

Related Articles

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html