Delena Malan

# TIL: How to find Lambda functions with clear-text sensitive keys using Steampipe

Fri Nov 17 2023

Today, I learned how to use Steampipe (opens new window) to find AWS Lambda functions that have clear-text sensitive keys in their environment variables, including API keys and database secrets.

I had the goal of finding clear-text secrets in our Lamdba functions in order to replace them with encrypted secrets using AWS Secrets Manager, for example.

I started by collecting the complete list of environment variables from all of our Lambda functions to identify common patterns in their names. For example, from DATADOG_API_KEY and GITHUB_API_KEY, I could deduct that we need to search for API_KEY.

I just had a quick glance over the variables and made a list of the following search terms: key, token, secret, password, credential, and bearer. Since we've already started to use Secrets Manager secrets in some of our Lambda functions, I decided to exclude variable names that include arn.

I extracted the environment variables from Steampipe's aws_lambda_function (opens new window) table using the environment_variables column. The environment_variables column is a JSONB column. We can use the jsonb_object_keys function to get only the variable names.

I joined the variable names with the list of Lambda functions so that we could get an output table that lists each environment variable and the Lambda function it belongs to.

This is the query that I ended up with:

WITH functions_keys AS (
    SELECT
        name,
        jsonb_object_keys(environment_variables) as key,
        tags ->> 'aws:cloudformation:logical-id' AS cloudformation_logical_id,
        tags ->> 'aws:cloudformation:stack-id' AS cloudformation_stack_id,
        tags ->> 'aws:cloudformation:stack-name' AS cloudformation_stack_name,
        tags,
        account_id,
        region
    from
        aws_lambda_function
)
SELECT
    *
FROM
    functions_keys
WHERE
    AND key NOT ILIKE '%arn%'
    AND (
        key ILIKE '%key%'
        OR key ILIKE '%token%'
        OR key ILIKE '%secret%'
        OR key ILIKE '%password%'
        OR key ILIKE '%credential%'
        OR key ILIKE '%bearer%'
        OR KEY ILIKE '%xcauth%'
        OR KEY ILIKE '%auth%'
    )
ORDER BY tags ->> 'aws:cloudformation:logical-id', name;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

Newsletter

If you'd like to subscribe to my blog, please enter your details below. You can unsubscribe at any time.

Powered by Buttondown.

Last Updated: 11/20/2023, 10:04:51 AM