Securing sensitive configuration
Throughout this book, and in the previous section about managing environments, we've relied heavily on environment variables. One very nice feature of pulling a configuration from the environment is that sensitive information never needs to be checked into the source control. All of our application code and any framework code (such as the Serverless Framework) can look up variable values from the environment when needed.
Configuration via environment variables is all well and good, but our usage of these variables is not perfect. The problem with our usage of environment variables and Lambda is that the data pulled from the deployment environment is uploaded and stored in AWS Lambda functions as plain text. For example, take a look at serverless.yml
from the previous section about error handling using either Sentry or Rollbar:
provider: name: aws runtime: python3.6 region: ${env:AWS_REGION} state: ${env:$ENV} environment: SENTRY_ENVIRONMENT:...