Ensure that all Amazon Lambda environment variables that store sensitive information such as passwords, tokens and access keys are encrypted in order to meet security and compliance requirements. The environment variables defined for your AWS Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code. By default, all Lambda environment variables with the key (name) set to "pass", "password", "*token*" (i.e. any key that has "token" string in it), "api", "API", "Key", "KEY", "key" are encrypted. You can also set your own environment variables names within the rule settings on the Cloud Conformity console.
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When dealing with AWS Lambda environment variables that hold sensitive and critical data, it is highly recommended to implement encryption in order to protect the data that you dynamically pass to your functions (usually access information) from unauthorized access.
Audit
To determine if the environment variables that pass sensitive information to your Lambda functions (defined within conformity rule settings) are encrypted, perform the following:
Remediation / Resolution
To encrypt the environment variables that pass sensitive information to your AWS Lambda functions, perform the following actions:
Note: Enabling encryption for specific Amazon Lambda environment variables using the AWS API via Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- AWS Lambda FAQs
- Using AWS Lambda environment variables
- Securing environment variables
- AWS Command Line Interface (CLI) Documentation
- lambda
- list-functions
- get-function
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable Encryption for Lambda Environment Variables
Risk level: High