Profile Applicability:

  • Level 1

Description:
Environment variables in AWS Lambda functions are used to store configuration settings and secrets such as API keys, database credentials, and other sensitive information. To ensure the security of these variables, encryption in transit must be enabled to prevent unauthorized interception during transmission. This ensures that sensitive data is protected while being transmitted between services, including when Lambda functions interact with other AWS services or external endpoints.

Rationale:
 By default, environment variables in AWS Lambda functions are stored in plaintext within the Lambda execution environment. If not properly encrypted in transit, these variables can be exposed to unauthorized users or services during interactions, increasing the risk of data breaches or unauthorized access. Encrypting environment variables in transit mitigates this risk by ensuring that data is encrypted while traveling across the network.

Key Risks:

  • Data exposure: If environment variables are transmitted without encryption, sensitive information may be intercepted by attackers.

  • Non-compliance: Regulatory frameworks like GDPR, HIPAA, and PCI-DSS require encryption of sensitive data, including during transmission. Failure to encrypt environment variables can lead to non-compliance with these regulations.

  • Data tampering: Without encryption, environment variables are susceptible to manipulation or alteration by unauthorized parties.

Impact:
 Pros:

  • Ensures sensitive information, such as API keys and credentials, is protected while being transmitted.

  • Reduces the risk of data breaches and unauthorized access.

  • Helps achieve compliance with regulatory standards like GDPR, HIPAA, and PCI-DSS.

  • Enhances the overall security posture of Lambda functions by preventing interception or tampering of sensitive data.

Cons:

  • May introduce slight latency due to encryption overhead.

  • Requires careful management of encryption keys for decryption.

  • Enabling encryption for environment variables may require modifications to existing Lambda function configurations.

Default Value:
 By default, Lambda environment variables are stored in plaintext. Encryption in transit must be explicitly configured by the user to ensure that environment variables are securely transmitted.

Pre-requisites:

  • AWS Identity and Access Management (IAM) permissions to manage Lambda environment variables and encryption settings.

  • AWS KMS (Key Management Service) setup to enable encryption of environment variables using customer-managed keys (CMK).

Remediation:

Test Plan:

 Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to the Lambda service and select your function.

  3. In the "Configuration" tab, click on "Environment variables."

  4. Under "Environment variables," enable encryption by selecting the "Encrypt the environment variables" option.

  5. Ensure that the environment variables are associated with a customer-managed KMS key to encrypt the values.

  6. Deploy the changes to the Lambda function.

  7. Test the Lambda function by invoking it to verify that the environment variables are encrypted in transit during execution.

  8. Monitor the Lambda logs for any issues related to decryption or access to encrypted variables.

Using AWS CLI:

  1. Use the following command to update the environment variables of your Lambda function and enable encryption:

    aws lambda update-function-configuration --function-name <function-name> --environment "Variables={KEY_NAME=encrypted-value}" --kms-key-arn <kms-key-arn>

  2. Use the following command to verify that the environment variables are encrypted:

    aws lambda get-function-configuration --function-name <function-name>

  3. Check the KMSKeyArn in the response to ensure that a KMS key is being used for encryption.

Implementation Plan:

 Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to the Lambda service and select the desired Lambda function.

  3. Click on "Configuration" and then "Environment variables."

  4. Enable encryption for the environment variables by selecting the appropriate KMS key for encryption.

  5. Save and deploy the Lambda function configuration to apply the changes.

  6. Test the function to ensure environment variables are encrypted in transit.

Using AWS CLI:

  1. Update the Lambda function configuration using the command, specifying a KMS key to encrypt environment variables.

    aws lambda update-function-configuration

  2. Verify the KMS key association and environment variable encryption by checking the function’s configuration command.

    aws lambda get-function-configuration

Backout Plan:
 Using AWS Console:

  1. If issues arise after enabling encryption, navigate to the Lambda function's "Environment variables" section.

  2. Remove the encryption settings by unselecting the "Encrypt the environment variables" option.

  3. Save and deploy the changes to revert the configuration.

  4. If encryption caused issues with existing environment variables, manually decrypt the variables or recreate them without encryption as a temporary solution.

Using AWS CLI:

  1. To disable encryption, run the following command to remove the KMS key association:

    aws lambda update-function-configuration --function-name <function-name> --environment "Variables={KEY_NAME=plain-value}" --kms-key-arn ""

  2. Deploy the changes and verify that the Lambda function environment variables are no longer encrypted.

References:

CIS Controls:

Version

Control ID

Control Description

v8

3.1

Protect sensitive information in transit, including Lambda environment variables, by using encryption protocols such as TLS and KMS.

v7

3.4

Ensure encryption of environment variables in Lambda to safeguard sensitive data from unauthorized access during transmission.