Lateral movement

Lambda function environment variables expose secrets

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

AWS lambda is AWS's serverless solution. Environment variables are key-value pairs of data which are forwarded to the execution environment of a lambda, and help making the behaviour of a generic code that runs in a function more dynamic. We have found that the lambda function exposes sensitive data in the environment variables of the function. If an attacker can list this function (i.e. read its metadata), they may be able to use this information for lateral movement.
  • Recommended Mitigation

    Review your lambda functions and make sure they do not contain secrets. We recommend to store secrets in dedicated services like KMS.