v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 4.12 Ensure encryption in transit is enabled for Lambda environment variables

Description

As you can set your own environmental variables for Lambda it is important to also encrypt them for in transit protection.

Lambda environment variables should be encrypted in transit for client-side protection as they can store sensitive information.

Remediation

From the Console:

  1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
  2. In the left column, under AWS Lambda, click Functions.
  3. Under Function name click on the name of the function that you want to review.
  4. Click the Configuration tab.
  5. In the left column, click Environment variables.
  6. In the Environment variables section, click Edit.
  7. Click the check box for Enable helpers for encryption in transit.
  8. Click the Encrypt option for all the variable that need to be encrypted.
  9. Repeat steps 2 – 8 for each Lambda function identified in the Audit within the current AWS region.
  10. Repeat this remediation for all the other AWS regions.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_4_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_4_12 --share

SQL

This control uses a named query:

lambda_function_encryption_enabled

Tags

category = Compliance
cis = true
cis_item_id = 4.12
cis_level = 1
cis_section_id = 4
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/Lambda