Lambda function code contains no hardcoded secrets
awslambda_function_no_secrets_in_code
Lambda function code is analyzed for embedded secrets across files in the deployment package, detecting patterns like API keys, passwords, tokens, and connection strings. Findings reference file names and line numbers where potential secrets appear.
Risk
Hardcoded secrets undermine confidentiality and integrity: if code, layers, or artifacts are exposed, attackers can reuse credentials to access databases, APIs, or cloud resources, enabling data exfiltration and unauthorized changes.
Rotation is harder, increasing dwell time and blast radius of compromises.
prowler aws --checks awslambda_function_no_secrets_in_code
Recommendation
Use AWS Secrets Manager (or Parameter Store) to store secrets and retrieve at runtime; never put them in code or Lambda env vars.
- Apply least privilege IAM
- Enable rotation
- Prevent secret logging; encrypt
- Add CI/CD secret scanning
Remediation
- In AWS Secrets Manager, click Store a new secret and create a secret for the value you hardcoded. Note the secret name/ARN.
- In IAM > Roles, open your Lambda execution role and add an inline policy allowing secretsmanager:GetSecretValue on that secret only.
- Edit your Lambda function code to remove the hardcoded value and retrieve it at runtime using the AWS SDK (GetSecretValue) with the secret name/ARN.
- Deploy the updated function code.
Source Code
Resource Type
AwsLambdaFunction
References
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html
- https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager/
- https://www.cloudcurls.com/2025/08/how-to-manage-secrets-securely-with-aws-secrets-manager.html