Skip to content

AWS Lambda

AWS Lambda delivers serverless event-triggered code snippets. SailPoint Entro detects Secrets and NHIs exposed on AWS Lambda (as shown below):

Step 1: Locate the Exposed Token with SailPoint Entro Platform

Use the link provided by SailPoint Entro to navigate directly to the lambda function where the token was exposed.

Step 2: Revoke Rotate and remove the Exposed Token

To remediate the issue, use the RIGOR workflow:

  • Redact Sensitive Information: Remove references to the exposed token from the function’s code and update any environment variables containing the token.

  • Inform the owner about the token exposure so that the practice is not repeated.

  • Generate a new token if necessary and ensure it is securely vaulted, avoiding exposure in scripts, pipeline configurations, or environment settings.

  • Organize and take notes throughout this process as they will be necessary for a future root cause analysis, response plans, etc...

  • Revoke any exposed tokens through the issuing service based on the token type provided by SailPoint Entro. Refer to Key Rotation Best Practices.

Step 3a (optional): Use AWS Secrets Manager for Enhanced Security

Consider using AWS Secrets Manager for storing sensitive information like tokens, as it provides additional security features such as automatic rotation and fine-grained access control. Migrate the new token to AWS Secrets Manager if enhanced security features are needed, and update your AWS services to access the token from Secrets Manager instead of Parameter Store.

Step 3b (optional): Update AWS Services to Access Secrets Securely

In order to fully utilize the secure capabilities of AWS Secrets Manager:

  1. Set up AWS Secrets Manager to securely store sensitive information like tokens.

  2. Store the new token in AWS Secrets Manager and update your Lambda function to access the token securely from the vault.

  3. Adjust the IAM roles and permissions of the Lambda function to allow it to access the stored secrets in AWS Secrets Manager.

Step 4: Audit Access

Review AWS CloudTrail logs to verify that no unauthorized access occurred while the token was exposed.

Step 5: Monitor

Set up AWS CloudWatch monitoring and alerts to notify you of any unusual activities related to the Lambda function or access to sensitive data.