Logo of Trend Micro

Enable Encryption for Lambda Environment Variables

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: Lambda-008

Ensure that all Amazon Lambda environment variables that store sensitive information such as passwords, tokens and access keys are encrypted in order to meet security and compliance requirements. The environment variables defined for your AWS Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code. By default, all Lambda environment variables with the key (name) set to "pass", "password", "*token*" (i.e. any key that has "token" string in it), "api", "API", "Key", "KEY", "key" are encrypted. You can also set your own environment variables names within the rule settings on the Cloud Conformity console.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When dealing with AWS Lambda environment variables that hold sensitive and critical data, it is highly recommended to implement encryption in order to protect the data that you dynamically pass to your functions (usually access information) from unauthorized access.

Audit

To determine if the environment variables that pass sensitive information to your Lambda functions (defined within conformity rule settings) are encrypted, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access the configuration page.

05 Scroll down to Environment variables and click Edit to open the panel with the Edit environment variables.

06 Expand Encryption configuration and verify Enable helpers for encryption in transit setting status. If the setting checkbox is not active, i.e. Runtime , or the setting is activated but the required environment variables (i.e. the ones defined within the rule settings, identified by the key name) are not encrypted, i.e. the key values are visible: Runtime , the variables that pass sensitive data to the selected function are not encrypted, therefore the sensitive information is not protected from unauthorized access.

07 Repeat steps no. 4 - 7 to verify the encryption status of the targeted environment variables defined for other AWS Lambda functions, available within the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available within the selected region: 

aws lambda list-functions
--region us-east-1
--query 'Functions[*].FunctionName'

02 The command output should return an array with the requested function names: 

[
  "ProcessUserMetadata",
  "FetchS3ObjectMetadata"
]

03 Run get-function command (OSX/Linux/UNIX) using the Lambda function name returned at the previous step and custom query filters to describe the environment variables defined for the selected Amazon Lambda function: 

aws lambda get-function
--region us-east-1
--function-name ProcessUserMetadata
--query 'Configuration.Environment'

04 The command output should return the requested Lambda environment variables: 

{
  "Variables": {
      "password": "mydbpassword",
      "name": "mydbname",
      "user": "mydbuser"
  }
}
Identify the name (key) assigned to each environment variable returned by the command output, available within the Variables object, and compare it with each variable defined within the conformity rule settings. If one or more environment variables match the ones defined within rule settings and the value set for these variables is not listed as ciphertext (example of ciphertext: "AQECAHiDgSGpKDlN+Bq ... R3wV3hkYBNAJwis8JvuVJ80="), the verified variables are not encrypted, therefore the sensitive data that is passed to the selected function is not protected from unauthorized access.

05 Repeat step no. 3 and 4 to verify the encryption status of the targeted environment variables defined for other AWS Lambda functions, available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To encrypt the environment variables that pass sensitive information to your AWS Lambda functions, perform the following actions:

Note: Enabling encryption for specific Amazon Lambda environment variables using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to reconfigure (see Audit section part I to identify the right Lambda resource), then click on the function name.

05 Scroll down to Environment variables and click Edit to open the panel with the Edit environment variables.

06 If the encryption helpers for the selected function are not enabled, check Enable encryption in transit checkbox to enable them, otherwise skip this step.

07 Select the aws/lambda (default) key from the Encryption key dropdown list to encrypt the environment variables with the AWS managed-key (default encryption key). To achieve better control over who can use the CMK key and access the encrypted data, you can create and manage your own Customer Master Key (CMK) by following the instructions outlined in this conformity rule. The encryption key implements AES-256 algorithm and is managed by AWS Key Management Service (AWS KMS).

08 Choose the environment variable that holds sensitive data then click the Encrypt button next to the variable value. This masks the value you entered and results in a call to AWS KMS to encrypt the value and return it as ciphertext: Runtime Note that the Encryption in transit window, Decrypt secrets snippet provides sample decrypt code specific to the runtime of your Lambda function that you can use with your application. Runtime Repeat the step to enable encryption for other environment variables that pass sensitive data to the selected Lambda function.

09 Click the Save button from the dashboard top menu to apply the changes and encrypt the selected environment variable(s).

10 Repeat steps no. 4 – 9 to encrypt environment variables for other AWS Lambda functions available within the current region.

11 Change the AWS region from the navigation bar and repeat the entire process for other regions.

References

Publication date Nov 27, 2020

Related Lambda rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Encryption for Lambda Environment Variables

Risk level: High