📝 Google Cloud Function Environment Variables store confidential data 🟢

• Contextual name: 📝 Cloud Function Environment Variables store confidential data 🟢
• ID: /ce/ca/google/cloud-run/function-environment-variables-store-confidential-data
• Located in: 📁 Google Cloud Run

Flags

• 🟢 Impossible policy
• 🟢 Policy with categories
• 🟢 Policy with type

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Use Secrets Manager for Managing Secrets in Google Cloud Functions

Description

Open File

Description

Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.

Rationale

It is recommended to use the Secret Manager, because environment variables are stored unencrypted, and accessible for all users who have access to the code.

Impact

There should be no impact on the Cloud Function. There are minor costs after 10,000 requests a month to the Secret Manager API as well for a high use of other functions. Modifying the Cloud Function to use the Secret Manager may prevent it running to completion.

Audit

Determine if Confidential Information is Stored in your Functions in Cleartext

From Google Cloud Console

1. Within the project you wish to audit, select the Navigation hamburger menu in the top left. Scroll down to under the heading Serverless, then select Cloud Functions

... see more

Remediation

Open File

Remediation

Enable Secret Manager API for your Project

From Google Cloud Console

1. Within the project you wish to enable, select the Navigation hamburger menu in the top left. Hover over APIs & Services to under the heading Serverless, then select Enabled APIs & Services in the menu that opens up.
2. Click the button + Enable APIS and Services
3. In the Search bar, search for Secret Manager API and select it.
4. Click the blue box that says Enable.

From Google Cloud CLI

1. Within the project you wish to enable the API in, run the following command.

   gcloud services enable Secret Manager API

Reviewing Environment Variables That Should Be Migrated to Secret Manager

From Google Cloud Console

1. Log in to the Google Cloud Web Portal
2. Go to Cloud Functions
3. Click on a function name from the list
4. Click on Edit and review the Runtime environment for variables that should be secrets. Leave this list open for the next step.

From Google Cloud CLI

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 1.17 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager - Level 1 (Manual)			1
💼 Cloudaware Framework → 💼 Secure Access			43