Securing Secrets in AWS Lambda

Furqan Shaikh
Jan 4 · 4 min read

AWS Lambda functions can have the need to store secrets/sensitive information. For e.g.: credentials to talk to database, api keys or other such secrets. This article outlines the various options to securely work with credentials in AWS Lambda.

Storing Secrets in Environment Variables

Environment variables allow one to store configuration data outside of the function code. This allows to change the configuration data across different environments without the need to modify the code. Secrets can be stored/provided via environment variables since they are encrypted at rest by AWS using AWS KMS. When they are accessed in the function code, they are decrypted by AWS.

In AWS Console, expand Encryption configuration section in AWS Lambda

As can be seen above, there is aa default key already selected which will be managed by AWS using AWS KMS.

In AWS Console, go to AWS KMS and check that a default key has been created for AWS Lambda under AWS Managed Keys

There are 2 points to be aware of :

  • Environment variables are not encrypted in transit i.e. during deployment.
  • One should create IAM roles to lock down environment section in AWS CLI when providing access to less privileged users to your AWS account

Using AWS Secrets Manager

AWS Secrets Manager allows to easily manage secrets . Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. We can use the service to store secrets used by AWS Lambda functions and retrieve them in a secured manner. Lets see how to use it with our function.

Instead of storing the API Key in environment variable, we will store it in AWS Secrets Manager. We will then use Secrets Manager SDK in our function code to retrieve the API key.

  • Create an IAM user/role with secretsmanager:CreateSecret permissions.
  • We will use AWS CLI to create a secret. Make sure you have AWS CLI configured for the user with appropriate permissions.
  • Add ApiKey as an environment variable so that we can read the value in our function code. This is just the name of the secret and not the secret value
  • Add following code to the function to retrieve the secret from secrets manager.

AWS Secrets Manager has lots of capabilities around secrets management. For e.g.: to connect to RDS databases and rotate credentials regularly. This means that credentials for the database are secure, rotated regularly, and available anytime your lambda code needs them.

One point to be aware of when using this approach is that it adds latency to the lambda execution, but it greatly improves security.

EC2 Systems Manager Parameter Store

Instead of storing the API Key in environment variable, we will store it in EC2 Systems Manager Parameter Store. We will then use SSM SDK in our function code to retrieve the API key.

  • Create an IAM user/role with ssm:PutParameter permissions.
  • We will use AWS CLI to create a secret. Make sure you have AWS CLI configured for the user with appropriate permissions.
  • Add ApiKey as an environment variable so that we can read the value in our function code. This is just the name of the secret and not the secret value.
  • Add following code to the function to retrieve the secret from secrets manager.

One point to be aware of when using this approach is that it adds latency to the lambda execution, but it improves security.

Securely storing credentials will ensure that your serverless applications are secured.

References

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade