AWS Lambda

Lambda Environment Variables In-Transit Encryption Missing

This plugin encrypts in transit all sensitive AWS Lambda environment variable values.

Risk Level: High

Description:

This plugin encrypts in transit all sensitive AWS Lambda environment variable values. Before transmitting environment variable values to Lambda, you can encrypt them with AWS Lambda. Passwords and other sensitive data are frequently stored in environment variables. For security purposes, such variable values should be encrypted.

Recommended Action: Pingsafe highly recommends enabling encryption for all the environment variables for security and compliance requirements.

Configuration Parameters

Lambda Sensitive Environment Variables: This parameter specifies a list of all Lambda function Environment Variables that must be encrypted. An alert is generated when any of the Environment Variables in the list are not encrypted properly. 

By default, the value is set to null. Depending on the Lambda Environment Variables in transit, it will return a vulnerability if the environment variable in the list does not have proper encryption.

About the Service: 

AWS Lambda is a serverless compute service that allows you to run code without having to provision or manage servers, create workload-aware cluster scaling logic, keep event integrations up to date, or manage runtimes. You can use Lambda to run code for almost any form of application or backend service, and you don't have to worry about managing it. Simply upload your code as a ZIP file or container image, and Lambda will automatically and precisely assign compute execution power and run your code in response to incoming requests or events, at any scale.

Impact:

Unencrypted environment variables that store sensitive information like passwords, tokens and access keys, etc. are extremely insecure since they can lead to unauthorized access if intercepted while being dynamically passed to your function.

This leads to a major exploit point and all the data can be overtaken by anyone who intercepts the request.

Steps to reproduce :

  1. Sign in to your AWS Console.
  2. Navigate to the Lambda dashboard at: https://console.aws.amazon.com/lambda/ and select Functions.
  3. Select the Function you want to examine and visit its configuration page.
  4. Under the Environment Variables section, select Edit.
  5. Under Encryption Configuration, verify the checkbox Enable helpers for encryption in transit

Steps for remediation :

  1. Sign in to your AWS Console.
  2. Navigate to the Lambda dashboard at: https://console.aws.amazon.com/lambda/ and select Functions.
  3. Select the Function you want to examine and visit its configuration page.
  4. Under the Environment Variables section, select Edit.
  5. Under Encryption Configuration, verify the checkbox Enable helpers for encryption in transit
  6. Select the Lambda key from the Encryption Key dropdown list to encrypt the keys.

References: