Lambda function's environment variables expose secrets
Description
A function's metadata includes environment variable fields that contain small configurations that help the function execute. These variables can be accessed by any entity with the most basic read-metadata-only permissions, and cannot be encrypted. Lambda runtime makes environment variables available without passing secrets in code or environment variables. We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.
Code Example
shell
{
"aws lambda get-function-configuration
--region & lt;REGION>
--function-name & lt;FUNCTION_NAME>
--query Environment.Variables",
}Remediation
- CLI Command*
To see the secrets, run the following CLI command:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0099 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_45 |