What is the MOST cost-effective way to address this security issue?
Set up IAM policies from the Lambda console to hide access to the environment variables.
Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.
Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.
Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.
Explanations:
IAM policies cannot hide environment variables in the Lambda console. The IAM policies can control access to Lambda functions but not how environment variables are displayed.
Using AWS Step Functions to store environment variables is an overcomplicated solution, and it doesn’t directly address the issue of securely storing sensitive information. Step Functions are meant for orchestrating workflows, not for storing sensitive data.
While AWS Secrets Manager can store sensitive information securely, it is a more expensive service and might be overkill for storing small, few-character secrets. Additionally, Secrets Manager has added cost compared to other options like Systems Manager Parameter Store.
Storing sensitive environment variables as secure string parameters in AWS Systems Manager Parameter Store is the most cost-effective and secure solution. It provides encryption at rest, controlled access via IAM policies, and is more affordable than Secrets Manager for small amounts of sensitive data.
Based on what I know, the answer is:
Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.