Enable Encryption in Transit for Environment Variables

Risk Level: High (not acceptable risk)

Ensure that all Amazon Lambda function environment variables that store sensitive information such as passwords, tokens and access keys are encrypted in order to meet security and compliance requirements. The environment variables defined for your Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code. By default, all Lambda environment variables with the key (name) set to "pass", "password", "*token*" (i.e. any key that has "token" string in it), "api", "API", "Key", "KEY", "key" are encrypted. You can also set your own environment variables names within the rule settings on your Trend Micro Cloud One™ – Conformity account console.

This rule can help you work with the AWS Well-Architected Framework.

Security

When dealing with Lambda function environment variables that hold sensitive and critical data, it is highly recommended to implement encryption in order to protect the data that you dynamically pass to your functions (usually access information) from unauthorized access.

Audit

To determine if the environment variables that pass sensitive information to your Amazon Lambda functions are encrypted in transit, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to examine.

05 Select the Configuration tab and choose Environment variables from the left menu.

06 In the Environment variables section, choose Edit to access the configuration settings available for the function's environment variables.

07 On the Edit environment variables page, choose Encryption configuration, and check the Enable helpers for encryption in transit setting status available under Encryption in transit. If the Enable helpers for encryption in transit setting is disabled, the environment variables defined for the selected Amazon Lambda function are not encrypted in transit. If the Enable helpers for encryption in transit setting is enabled but the function's environment variables that store sensitive information, listed in the conformity rule settings, are not encrypted (i.e. the key values are visible and not encoded), the environment variables created for the selected function are not encrypted in transit, therefore the sensitive information stored in these variables is not protected from unauthorized access.

08 Repeat steps no. 4 – 7 for each Lambda function available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------
|   ListFunctions   |
+-------------------+
|  cc-sqs-poller    |
|  cc-s3-logging    |
|  s3-get-object    |
+-------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter and custom query filters to describe the environment variables defined for the selected function:

aws lambda get-function
  --region us-east-1
  --function-name cc-sqs-poller
  --query 'Configuration.Environment'

04 The command output should return the environment variables created for the specified function:

{
	"Variables": {
		"db_name": "mydbname",
		"db_user": "mydbuser",
		"db_password": "mydbpassword"
	}
}

Compare each environment variable returned by the get-function command output, listed within the Variables object, to the list of variables defined in the conformity rule settings. If one or more environment variables match the ones defined within conformity rule settings and the value set for these variables is not encoded (example of encoded value: "AQECAHiDgSGpKDlN+Bq ... R3XWQkYBNAJi6WUBMVJ0="), as shown in the output example above, the environment variables created for the selected function are not encrypted in transit, therefore the sensitive information stored in these variables is not protected from unauthorized access.

05 Repeat step no. 3 and 4 for each Lambda function available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable encryption in transit for the environment variables that pass sensitive information to your Amazon Lambda functions, perform the following operations:

Note: Enabling encryption in transit for Lambda function environment variables using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"FunctionExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "LambdaExecutionRole",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"lambda.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"Policies": [
					{
						"PolicyName": "AWSLambdaBasicExecutionRole",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"logs:CreateLogGroup",
										"logs:CreateLogStream",
										"logs:PutLogEvents",
										"ec2:DescribeNetworkInterfaces",
										"ec2:CreateNetworkInterface",
										"ec2:DeleteNetworkInterface",
										"ec2:DescribeInstances",
										"ec2:AttachNetworkInterface"
									],
									"Resource": "*"
								}
							]
						}
					}
				]
			}
		},
		"LambdaFunction": {
			"Type": "AWS::Lambda::Function",
			"Properties": {
				"FunctionName": "cc-app-worker-function",
				"Handler": "lambda_function.lambda_handler",
				"Role": {
					"Fn::GetAtt": [
						"FunctionExecutionRole",
						"Arn"
					]
				},
				"Code": {
					"S3Bucket": "cc-lambda-functions",
					"S3Key": "worker.zip"
				},
				"Runtime": "python3.9",
				"MemorySize": 1024,
				"Timeout": 45,
				"VpcConfig": {
					"SecurityGroupIds": [
						"sg-0abcd1234abcd1234"
					],
					"SubnetIds": [
						"subnet-abcd1234",
						"subnet-1234abcd"
					]
				},
				"Environment": {
					"Variables": {
						"DatabaseName": "lambda-db-name",
						"DatabaseUser": "lambda-db-user"
					}
				},
				"KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	FunctionExecutionRole:
		Type: AWS::IAM::Role
		Properties:
		RoleName: LambdaExecutionRole
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- lambda.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		Policies:
			- PolicyName: AWSLambdaBasicExecutionRole
			PolicyDocument:
				Version: '2012-10-17'
				Statement:
				- Effect: Allow
					Action:
					- logs:CreateLogGroup
					- logs:CreateLogStream
					- logs:PutLogEvents
					- ec2:DescribeNetworkInterfaces
					- ec2:CreateNetworkInterface
					- ec2:DeleteNetworkInterface
					- ec2:DescribeInstances
					- ec2:AttachNetworkInterface
					Resource: '*'
	LambdaFunction:
		Type: AWS::Lambda::Function
		Properties:
		FunctionName: cc-app-worker-function
		Handler: lambda_function.lambda_handler
		Role: !GetAtt 'FunctionExecutionRole.Arn'
		Code:
			S3Bucket: cc-lambda-functions
			S3Key: worker.zip
		Runtime: python3.9
		MemorySize: 1024
		Timeout: 45
		VpcConfig:
			SecurityGroupIds:
			- sg-0abcd1234abcd1234
			SubnetIds:
			- subnet-abcd1234
			- subnet-1234abcd
		Environment:
			Variables:
			DatabaseName: lambda-db-name
			DatabaseUser: lambda-db-user
		KmsKeyArn: arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_role" "lambda-execution-role" {
	name = "LambdaExecutionRole"
	path = "/"
	managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]

	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "lambda.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF
}

resource "aws_lambda_function" "lambda-function" {
	function_name    = "cc-app-worker-function"
	s3_bucket        = "cc-lambda-functions"
	s3_key           = "worker.zip" 
	role             = aws_iam_role.lambda-execution-role.arn
	handler          = "lambda_function.lambda_handler"
	runtime          = "python3.9"
	memory_size      = 1024
	timeout          = 45   
	vpc_config {
		subnet_ids         = [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
		security_group_ids = [ "sg-0abcd1234abcd1234" ]
	}
	tracing_config {
		mode = "Active"
	}
	environment {
		variables = {
			DatabaseName = "lambda-db-name"
			DatabaseUser = "lambda-db-user"
		}
		kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name of the function that you want to reconfigure.

05 Select the Configuration tab and choose Environment variables from the left menu.

06 In the Environment variables section, choose Edit to access the configuration settings available for the function's environment variables.

07 On the Edit environment variables page, perform the following actions:

Choose Encryption configuration and select the Enable helpers for encryption in transit checkbox available under Encryption in transit.
Select each environment variable that store sensitive information, defined within the conformity rule settings, and choose Encrypt.
Inside the Encryption in transit configuration box, select the KMS key required for encryption from the AWS KMS key to encrypt in transit dropdown list, then choose Encrypt.
Once all the environment variables that hold sensitive information are encrypted in transit, choose Save to apply the changes.

08 Repeat steps no. 4 – 7 to enable encryption in transit for each Lambda function with environment variables that store sensitive information, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
lambda
list-functions
get-function

Publication date Nov 29, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Encryption in Transit for Environment Variables

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

References

Related Lambda rules