AWS lambda medium security documentation change
Summary
Updated guidance to use AWS Parameters and Secrets Lambda extension instead of storing secrets in environment variables
Security assessment
Explicitly warns against storing sensitive info in code and promotes secure secret management via Secrets Manager, addressing insecure credential storage practices
Diff
diff --git a/lambda/latest/dg/urls-webhook-tutorial.md b/lambda/latest/dg/urls-webhook-tutorial.md index 04df67c14..74a488cd5 100644 --- a//lambda/latest/dg/urls-webhook-tutorial.md +++ b//lambda/latest/dg/urls-webhook-tutorial.md @@ -280 +280 @@ Node.js -For the Lambda function to authenticate the webhook request, it uses a secret key which it shares with the calling application. In this example, the key is stored in an environment variable. In a production application, we recommend that you use AWS Secrets Manager as a more secure option. To learn more about using Secrets Manager to store secret keys, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) and [Get secrets from AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html) in the _AWS Secrets Manager User Guide_. +For the Lambda function to authenticate the webhook request, it uses a secret key which it shares with the calling application. In this example, the key is stored in an environment variable. In a production application, don't include sensitive information like passwords in your function code. Instead, [create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) and then [use the AWS Parameters and Secrets Lambda extension](./with-secrets-manager.html) to retrieve your credentials in your Lambda function.