Ensure that all Amazon Lambda function environment variables that store sensitive information such as passwords, tokens and access keys are encrypted in order to meet security and compliance requirements. The environment variables defined for your Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code. By default, all Lambda environment variables with the key (name) set to "pass", "password", "*token*" (i.e. any key that has "token" string in it), "api", "API", "Key", "KEY", "key" are encrypted. You can also set your own environment variables names within the rule settings on your Trend Cloud One™ – Conformity account console.
This rule can help you work with the AWS Well-Architected Framework.
When dealing with Lambda function environment variables that hold sensitive and critical data, it is highly recommended to implement encryption in order to protect the data that you dynamically pass to your functions (usually access information) from unauthorized access.
Audit
To determine if the environment variables that pass sensitive information to your Amazon Lambda functions are encrypted in transit, perform the following operations:
Remediation / Resolution
To enable encryption in transit for the environment variables that pass sensitive information to your Amazon Lambda functions, perform the following operations:
Note: Enabling encryption in transit for Lambda function environment variables using the AWS Command Line Interface (AWS CLI) is not currently supported.References
- AWS Documentation
- AWS Lambda FAQs
- Using Lambda environment variables
- What is AWS Lambda?
- AWS Command Line Interface (CLI) Documentation
- lambda
- list-functions
- get-function