Profile Applicability:

  • Level 1

Description:

This control ensures that no sensitive data such as passwords, API keys, access tokens, or private keys is stored directly in AWS Lambda environment variables. Lambda environment variables are stored unencrypted (unless configured with KMS) and can be viewed by users with read access to the Lambda configuration, potentially leading to data exposure or credential compromise. 

Rationale:

Lambda functions often rely on environment variables for configuration, but storing sensitive credentials or secrets in plaintext poses a significant security risk. If an attacker or unauthorized user gains access to the Lambda configuration or its logs, they could extract and misuse these secrets. Instead, secrets should be stored securely using AWS Secrets Manager or AWS Systems Manager Parameter Store (with encryption) and accessed programmatically at runtime. This ensures compliance with security best practices and frameworks like CIS, ISO 27001, SOC 2, and NIST 800-53. 

Impact:

  • Positive Impact: Improves the security of Lambda functions by eliminating plaintext secrets and enforcing centralized, encrypted secret management.

  • Negative Impact: Requires refactoring of Lambda code to securely fetch secrets from AWS Secrets Manager or Parameter Store at runtime. 

Default Value:

By default, AWS Lambda environment variables are not encrypted with a customer-managed KMS key unless explicitly configured. 

Pre-Requisite:

  • IAM permissions required: lambda:ListFunctions, lambda:GetFunctionConfiguration.
  • Define a set of secret patterns to search for, such as “password=”, “AWS_ACCESS_KEY_ID”, “SECRET_KEY”, “token=”, or “PRIVATE_KEY”.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Lambda → Functions.

  3. Select a function and go to the Configuration → Environment variables section.

  4. Review all key-value pairs and check for sensitive data such as credentials, API keys, or private information.

  5. If any secrets are found in plaintext, the function is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Identify all Lambda functions with sensitive data in environment variables.

  2. For each function:

    • Copy existing secret values to AWS Secrets Manager or AWS Systems Manager Parameter Store (with KMS encryption).

    • Modify the Lambda function code to securely retrieve these values at runtime using the appropriate AWS SDK.
      Example (Python):

  3. Remove the sensitive values from the Lambda environment variables.

  4. (Optional) Configure the Lambda function to use KMS encryption for non-sensitive environment variables if necessary.

    • Navigate to Lambda → Configuration → Environment variables → Edit encryption settings.

    • Choose a customer-managed KMS key for encryption.

Backout Plan:

Using AWS Console:

  1. If application functionality is impacted after removing secrets from environment variables, temporarily re-add them in encrypted form while fixing retrieval logic.
  2. Once the issue is resolved, revert to using Secrets Manager or Parameter Store permanently.

References: