iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that AWS Lambda functions do not contain any secrets (such as passwords, API keys, access tokens, or private keys) directly in the source code. Hardcoding secrets within the function code exposes sensitive information to anyone who has access to the Lambda function, increasing the risk of data breaches, unauthorized access, or privilege escalation. 

Rationale:

Storing secrets in plaintext within Lambda function code increases the potential for leaks, especially when the code is stored in version control systems, exposed through logs, or retrieved by unauthorized users. Secrets should be stored securely using AWS Secrets Manager, AWS Systems Manager Parameter Store (with encryption), or environment variables with KMS encryption enabled, to ensure that they are managed safely. This approach reduces the attack surface, prevents unauthorized access, and complies with best practices and regulatory frameworks such as CIS, SOC 2, ISO 27001, and NIST 800-53. 

Impact:

• Positive Impact: Enhances security by preventing the accidental exposure of sensitive credentials and improving the management of secrets through centralized, secure solutions.

• Negative Impact: Requires refactoring Lambda code to securely retrieve secrets from a managed store at runtime, potentially adding development overhead. 

Default Value:

By default, AWS Lambda does not automatically enforce secret management, and developers can hardcode secrets in function code. 

Pre-Requisite:

• IAM permissions required: lambda:ListFunctions, lambda:GetFunctionConfiguration, secretsmanager:GetSecretValue, ssm:GetParameter.
• Define a secure secrets management strategy using AWS Secrets Manager or Parameter Store.

Remediation:

Test Plan 

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Lambda → Functions.

3. Select each Lambda function and inspect the function code.

4. Review the code for any hardcoded secrets, such as:

   • AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, SECRET_KEY, token=, password=, private_key=, etc.

5. If any secrets are found in the code, the function is non-compliant.

Implementation Plan 

Using AWS Console:

1. Identify all Lambda functions that contain hardcoded secrets in their source code.

2. For each Lambda function:

   • Replace hardcoded secrets with AWS Secrets Manager or AWS Systems Manager Parameter Store API calls to retrieve secrets securely at runtime.

   • If using environment variables, ensure that they are encrypted with KMS.

3. Test the function to verify it can securely access and use the secrets from the managed service.

4. Remove all hardcoded secrets from the Lambda function code and commit the changes to a secure repository.

5. Ensure that secrets management is integrated into the development pipeline to prevent future hardcoding of secrets.

Backout Plan:

Using AWS Console:

1. If issues arise after refactoring Lambda functions, temporarily revert to the previous version of the function code with the hardcoded secrets, while troubleshooting the secure retrieval approach.
2. Once resolved, permanently adopt secure secret retrieval via AWS Secrets Manager or Parameter Store.

References:

• AWS Lambda Environment Variables
• AWS Secrets Manager Documentation
• AWS Systems Manager Parameter Store
• AWS Security Best Practices Whitepaper