Profile Applicability:
Level 1

Description:
This control ensures that AWS Lambda function code does not contain embedded secrets such as passwords, API keys, tokens, private keys, or other sensitive credentials. Secrets stored directly in Lambda code or environment variables can be easily extracted by anyone with read access to the function or deployment package, leading to potential data exposure or unauthorized access to other AWS or third-party services.

Rationale:
Hardcoding secrets in Lambda functions violates security best practices and the principle of least privilege. Attackers who gain access to the Lambda package or logs could exfiltrate secrets and use them to compromise other systems. Instead, secrets should be securely managed through AWS Secrets Manager, AWS Systems Manager Parameter Store (SecureString), or AWS KMS-encrypted environment variables. Storing and retrieving secrets securely ensures data confidentiality, supports compliance requirements (such as CIS, SOC 2, ISO 27001, and NIST 800-53), and reduces the risk of credential leaks.

Impact:
Positive Impact: Strengthens application security by ensuring all sensitive data is protected and managed securely, preventing unauthorized access and credential theft.
Negative Impact: Requires modification of Lambda code and refactoring to fetch secrets securely at runtime rather than embedding them.

Default Value:
By default, AWS Lambda does not restrict the inclusion of secrets in function code or environment variables.

Pre-Requisite:

  • IAM permissions required: lambda:ListFunctions, lambda:GetFunction, lambda:GetFunctionConfiguration.

  • A list of keywords or patterns to identify secrets (e.g., “password”, “secret”, “apikey”, “token”, “privatekey”).

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Lambda → Functions.

  3. Select a function and open the Code tab.

  4. Review the source code for hardcoded secrets such as passwords, tokens, or credentials.

  5. Check the Configuration → Environment variables section for plaintext secrets.

  6. If any secrets are found in the code or environment variables, the function is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Identify Lambda functions containing secrets in their code or configuration.

  2. Remove any hardcoded credentials from the function code.

  3. Store sensitive data securely using one of the following services:

    • AWS Secrets Manager: Centralized, encrypted secret storage.

    • AWS Systems Manager Parameter Store (SecureString): For managing encrypted configuration data.

  4. Update the Lambda function to retrieve secrets securely at runtime

  5. Redeploy the sanitized function.

  6. Implement continuous scanning using tools like AWS CodeGuru, GitHub Advanced Security, or TruffleHog to detect hardcoded secrets in repositories or Lambda packages.

Backout Plan:

  1. If secret retrieval at runtime causes failures, temporarily use AWS KMS-encrypted environment variables as an interim solution.

  2. Roll back to the previous Lambda version using the Lambda console → Versions tab while applying secure secret management in parallel.

References: