14

Using AWS Step Functions to string together Lambdas is interesting, but is there a way to disable/hide logging on the execution details screen? secret information being displayed in plaintext Private information being handed from one lambda to another needs to be able to be done in secret, and adding a KMS encrypt/decrypt to each step is a ton of overhead, and impossible for lambdas that live in a VPC without internet access.

Community
  • 1
  • 1
Bronanaza
  • 793
  • 2
  • 7
  • 16

2 Answers2

9

We've talked with Amazon and it looks like that there's no way to hide this information from the console. The alternative is to limit what gets sent to the Lambda functions at each step.

So you can ensure that only non-PII subsets of the input data are seen by certain functions. The usual workaround is to not passing PII data in at all and instead of that, place the PII data in an encrypted data stores, such as an S3 bucket or encrypted RDS database table, and pass a reference to that object through the state machine.

Kamal
  • 2,550
  • 1
  • 8
  • 13
  • 3
    summertime sadness: this feels like a real oversight on their end. step functions have the potential to be the unix pipe but for network enabled applications. ah well. – Bronanaza Sep 22 '17 at 15:38
  • 2
    Hello @Kamal, any news regarding this now? I'm evaluating Step Functions and have same concern about security of data running through each steps. So far I can't find any information if Amazon fixed it or not. It's sad that such an important thing is missed. – Yaiba Apr 16 '18 at 07:01
  • 2
    @Yaiba. Not much update, but still we have IAM and service level access to avoid any unauthorized access :) – Kamal Apr 17 '18 at 19:23
4

Another option is to use SSM parameter store with the SecureString type using KMS encryption. You would pass the name of the SSM parameter between steps. The lambda functions would use the API to retrieve and decrypt the value in a single request. See the link below for documentation on how to work with SSM parameter store using boto3 in Python.

http://boto3.readthedocs.io/en/latest/reference/services/ssm.html#SSM.Client.get_parameter

You will have to ensure that the roles to your lambda functions provide access to the SSM parameters AND access to same KMS key that was used to encrypt the value.

Nathan Phetteplace
  • 943
  • 7
  • 28