AWS-029 Amazon Web Services (AWS)

Lambda functions hold no secrets in plaintext env vars and use least-privilege roles.

Lambda functions hold no secrets in plaintext env vars and use least-privilege roles.

Domain
Amazon Web Services (AWS)
Area
Serverless / Containers
Automated / manual
Automated

Risk if it fails

Embedded secrets/over-broad roles are easily abused.

Anyone who reads a function's settings (or its leaked code) gets the hard-coded password. Over-broad roles let a hijacked function reach far beyond its job.

How Tess tests it

1 test — each concludes only on cited evidence.

Lambda functions hold no secrets in plaintext env vars and use least-privilege roles.

Automated
Procedure
Inspect function configs/env vars and attached execution-role policies.

Read-only command 

for f in $(aws lambda list-functions --query 'Functions[].FunctionName' --output text); do aws lambda get-function-configuration --function-name $f --query '{F:FunctionName,Role:Role,Env:Environment.Variables}'; done

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-029 against your evidence?

Book a demo