HIGH Lambda

Lambda env var secrets

Check ID: aws-lambda-003

AWS-LAMBDA-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for Lambda functions with environment variable names matching secret patterns (SECRET, PASSWORD, API_KEY, TOKEN, etc.).

Why it matters

Lambda environment variables are stored in plaintext and visible to anyone with lambda:GetFunctionConfiguration IAM permission - which is included in common policies like ReadOnlyAccess. The values appear in the AWS Console, CLI responses, and CloudFormation/Terraform state files. If your state file is stored in an S3 bucket, the secrets are also in that bucket in plaintext. In 2022, the Uber breach investigation revealed that attackers found AWS credentials stored in Lambda environment variables after compromising a developer account. Store secrets in AWS Secrets Manager or SSM Parameter Store (SecureString type) and retrieve them at runtime. This adds approximately 50-100ms of cold start latency but provides encryption, rotation, and audit logging.

Common causes

Secrets end up in Lambda environment variables because it is the simplest way to pass configuration during initial development. Engineers follow quick-start guides and tutorials that demonstrate environment variables for database passwords without mentioning Secrets Manager. Migrating existing functions to use Secrets Manager requires code changes and IAM permission updates, so teams defer the migration for functions that are already running in production.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Store secret in Secrets Manager:
aws secretsmanager create-secret --name FUNCTION/secrets --secret-string '{...}' --region REGION
# Then remove from Lambda env vars and fetch at runtime

Remediation: Terraform

resource "aws_secretsmanager_secret" "fn_secrets" {
  name = "function/secrets"
}

# Reference in Lambda via data source or SDK at runtime

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related Lambda checks

HIGH aws-lambda-001

Lambda public function URL

MEDIUM aws-lambda-002

Lambda deprecated runtime

← All checks