Automatic Secrets Redaction at Runtime

Read full article here: https://blog.gitguardian.com/secrets-redaction-at-runtime-lambda-extension/?utm_source=nhimg

Organizations running AWS Lambda often face the risk of accidentally exposing secrets such as AWS credentials, API keys, or tokens in function responses. Traditional approaches rely on code reviews and secret scanners baked into CI/CD pipelines, but these methods don’t catch runtime leaks.

This article demonstrates how to use AWS Lambda Runtime API extensions to enforce automatic secrets redaction at runtime—without modifying a single line of existing function code. By integrating GitGuardian’s detection engine into a lightweight proxy extension, every Lambda response is scanned and sensitive values are replaced with safe redactions before leaving the environment.

Key Takeaways

• Runtime Interception: The extension proxies the Lambda Runtime API, intercepting all requests and responses. Sensitive values are detected and replaced with REDACTED automatically.

• GitGuardian Detection: Leveraging GitGuardian’s API, the extension identifies AWS keys, GitHub tokens, secrets in environment variables, and other high-risk credentials.

• No Code Changes: Functions run as-is, while the extension applies security transparently in the background.

• Audit & Compliance: Every redaction is logged, providing metadata for compliance frameworks such as SOC 2, HIPAA, and GDPR.

• Real-World Benefits:
  • Protect legacy Lambda functions without retrofitting code.
  • Prevent sensitive data leaks during debugging or testing.
  • Enforce PII and secret redaction across multi-tenant SaaS environments.
  • Provide a safety net for developers by ensuring secrets never leave production responses.

Architecture Highlights

• Wrapper Script: Redirects AWS_LAMBDA_RUNTIME_API to the proxy.
• Extension Proxy: Built with Node.js/Express, it scans and rewrites responses.
• GitGuardian Integration: Secure API key storage via AWS SSM Parameter Store; secrets scanning and intelligent redaction.
• Deployment: Delivered as a Lambda layer, compatible with nodejs18.x and nodejs20.x. A Python version can be built separately for Python Lambdas.

Implementation Resources

• The complete implementation is available on GitHub:  https://github.com/reaandrew/gg-lambda-extensions-example

• This implementation is based on the AWS Labs Runtime API Proxy extension example:  https://github.com/aws-samples/aws-lambda-extensions/tree/main/nodejs-example-lambda-runtime-api-proxy-extension

The Bottom Line

Runtime API extensions with GitGuardian transform Lambda from a potential weak link into a self-healing environment where secrets are never exposed. This makes compliance easier, security proactive, and development safer—without slowing down teams.