Package scanning
Before deploying any code to Lambda, it is advisable to scan the code package for vulnerabilities. Various tools are available for this purpose, including AWS-native and third-party solutions. These tools can identify known security vulnerabilities in the libraries and dependencies your function uses. Regularly scanning your code packages can help you catch potential security issues before they become a problem in a live environment. This proactive approach can save time and reduce the risk associated with deploying insecure code. This topic will be covered in more detail in Chapter 12.
Secure environment variables
Environment variables in Lambda functions often hold sensitive information, such as API keys, database credentials, or other secrets. While Lambda encrypts these variables at rest and during function execution, additional steps can be taken to enhance the security of environment variables.
Encryption
By default, Lambda encrypts environment variables using a KMS AWS-managed key. However, for greater control, you can specify a CMK. Enabling encryption helpers can further secure these variables by encrypting them client-side before transmission. This adds an additional layer of protection against unauthorized access. To restrict access to these environment variables, you can deny access to KMS CMKs using IAM policies. It is advisable to store only non-sensitive configuration data in environment variables and use more secure options for sensitive information.
Secrets management
For a more secure approach to managing sensitive information, consider integrating AWS Systems Manager (SSM) Parameter Store and AWS Secrets Manager into your Lambda functions. Both services allow you to securely store, retrieve, and manage sensitive data. Rather than hardcoding these values into your Lambda function or storing them as plaintext in environment variables, you can reference them directly from either SSM Parameter Store or Secrets Manager. This approach allows for a separation of duties; developers can configure Lambda functions without needing direct access to the sensitive environment variables they use.