Lateral movement

Lambda Function Exposes AWS Secret

Risk Level

Hazardous (3)

Compliance Frameworks
  • Orca Best Practices

About AWS Lambda

AWS Lambda is an event-based, serverless computing platform that allows you to run code without provisioning or configuring infrastructure. There’s no need to spin up new servers or containers, perform OS maintenance, or manage memory and CPU cycles; the platform does it for you. All you have to do is execute your code via Lambda functions.

Lambda execution is triggered by demand. Your application runs and scales as required, from a few requests per hour to thousands per second.

Lambda provides a developer-friendly API for invoking functions. It can also execute function logic in response to certain events generated by other AWS services. For example, if Lambda receives a login event from a configured web service, it can execute the authentication function, which verifies the identity of the user.

Lambda also allows using environment variables for setting configuration values without modifying code. Environment variables are stored as key-value pairs and can be accessed by the application during execution. Ideally, environment variables shouldn’t contain sensitive information like secrets, tokens, passwords, and cryptographic keys; instead, they should be stored in purpose-built keystores, like AWS Secrets Manager.

However, if security-critical information is to be stored as environment variables, those variables should be encrypted. This protects data from unauthorized access, and allows you to conform with various security and compliance standards.

Cloud Risk Description

Lambda environment variables that store critical data like tokens, secrets, encryption keys, hash salts, and passwords, etc., should be encrypted. This keeps sensitive information safe from unauthorized access.

How Does Orca Help?

Orca detects sensitive data at-risk across both the workload and control plane, pinpointing the exact location and providing masked samples of the data for quick remediation. Orca is able to look for secrets in environment variables and alert on them. In this specific case, Orca helps by looking for “Lambda Functions that Expose AWS Secrets” and will alert on this type of issue as shown in the screenshot above.


Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.