Ensure Lambda function environment variables are not exposing sensitive data

Ensure that your Lambda functions environment variables are not exposing sensitive data such as passwords, data base connection strings, aws access keys and such. Understanding that anyone that has read only access to your AWS account has the ability to read what has been set in these variables.s For this reason this is considered a security best practice and should have all sensitive data encrypted via KMS. Ensuring this is enabled will help you with HIPPA, GDPR and NIST compliance.

Audit & Remediation



  • Select the function under Function name in order to gain access to the individual function.
  • On the current tab Configuration tab, scroll down to the Environment variables section.



  • If any variables look to contain sensitive data (passwords, access keys, api keys, database connection strings etc) then select the Edit button.
  • Select a AWS KMS key to encrypt in transit in order to encrypt the variable. You will need to update the IAM role that the lambda function is using to have the ability to decrypt the encrypted variable.



  • !Important you will need to update your lambda function with a helper function in order to call kms to decrypt your variable.



  • Repeat the outlined steps for each function.
  • Repeat the outlined steps for each region you have functions running.
See all of your AWS Lambda Functions in a single place!

Do you want to see all of your Lambda Functions in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.


Other Key Features


Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +