# TIL: How to find Lambda functions with clear-text sensitive keys using Steampipe
Today, I learned how to use Steampipe (opens new window) to find AWS Lambda functions that have clear-text sensitive keys in their environment variables, including API keys and database secrets.
I had the goal of finding clear-text secrets in our Lamdba functions in order to replace them with encrypted secrets using AWS Secrets Manager, for example.
I started by collecting the complete list of environment variables from all of our Lambda
functions to identify common patterns in their names. For example, from DATADOG_API_KEY
and
GITHUB_API_KEY
, I could deduct that we need to search for API_KEY
.
I just had a quick glance over the variables and made a list of the following search terms:
key
, token
, secret
, password
, credential
, and bearer
. Since we've already started
to use Secrets Manager secrets in some of our Lambda functions, I decided to exclude variable names
that include arn
.
I extracted the environment variables from Steampipe's aws_lambda_function
(opens new window) table using the environment_variables
column. The environment_variables
column
is a JSONB column. We can use the jsonb_object_keys
function to get only the variable names.
I joined the variable names with the list of Lambda functions so that we could get an output table that lists each environment variable and the Lambda function it belongs to.
This is the query that I ended up with:
WITH functions_keys AS (
SELECT
name,
jsonb_object_keys(environment_variables) as key,
tags ->> 'aws:cloudformation:logical-id' AS cloudformation_logical_id,
tags ->> 'aws:cloudformation:stack-id' AS cloudformation_stack_id,
tags ->> 'aws:cloudformation:stack-name' AS cloudformation_stack_name,
tags,
account_id,
region
from
aws_lambda_function
)
SELECT
*
FROM
functions_keys
WHERE
AND key NOT ILIKE '%arn%'
AND (
key ILIKE '%key%'
OR key ILIKE '%token%'
OR key ILIKE '%secret%'
OR key ILIKE '%password%'
OR key ILIKE '%credential%'
OR key ILIKE '%bearer%'
OR KEY ILIKE '%xcauth%'
OR KEY ILIKE '%auth%'
)
ORDER BY tags ->> 'aws:cloudformation:logical-id', name;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Newsletter
If you'd like to subscribe to my blog, please enter your details below. You can unsubscribe at any time.