Suspicious activity

Lambda function that exposes secrets is reached from Tor IP address

Risk Level

Imminent Compromised (2)



Orca detected AWS lambda function {AwsLambdaFunction} with environment variables exposing secrets. The function configuration was fetched by one of the following api calls: GetFunction, GetFunctionConfiguration or ListFunctions which retrieves the environment variables. This action may indicate of a presence of an unauthorized actor in the cloud environment, since the api call was invoked from Tor IP address - {MaliciousIp.MaliciousIp}.
  • Recommended Mitigation

    Review your Lambda functions and make sure they do not contain secrets. We recommend to store AWS secrets in dedicated services like Secrets Manager or Parameter Store, or encrypt the environment variables with a dedicated KMS key. The actions should be reviewed and the secrets which the lambda function exposes should be rotated.