Lambda function environment variables do not contain secrets
awslambda_function_no_secrets_in_variables
AWS Lambda function environment variables are analyzed for content that resembles secrets (API keys, tokens, passwords). Pattern-based detection highlights potential hardcoded credentials present in the function's environment.
Risk
Secrets in Lambda environment variables weaken confidentiality: users with config read access, runtime introspection, or logs may obtain them. Exposure can grant access to downstream systems, enable lateral movement, and allow tampering, impacting integrity and availability.
prowler aws --checks awslambda_function_no_secrets_in_variables
Recommendation
Do not store secrets in environment variables or code. Use AWS Secrets Manager or Parameter Store with encryption, fetch at runtime using least privilege IAM, and prefer short-lived creds via IAM roles.
Rotate keys, limit configuration read access, and apply defense in depth with logging and alerts for secret access.
Remediation
aws lambda update-function-configuration --region <REGION> --function-name <FUNCTION_NAME> --environment "Variables={}"
Resources:
<example_resource_name>:
Type: AWS::Lambda::Function
Properties:
Environment:
Variables: {} # CRITICAL: clears environment variables to ensure no secrets are stored
resource "aws_lambda_function" "<example_resource_name>" {
environment {
variables = {} # CRITICAL: remove all env vars so no secrets are present
}
}
- Open the AWS Lambda console and select the function
- Go to Configuration > Environment variables
- Click Edit
- Delete variables that contain secrets (or remove all variables)
- Click Save
Source Code
Resource Type
AwsLambdaFunction