How to hide sql connection strings in aws lambda?

Question

The following is how I'm connecting. Is there any way in Lambda to set environmental variables that aren't visible and ideally would cross to several lambdas? Ideally in another AWS service that I could access with the SDK and use across all AWS services?

var MYSQL      = require('mysql');
var AWS = require('aws-sdk');

exports.handler = (event, context, callback) => {
    var connection = MYSQL.createConnection({
        host     : '127.0.0.1',
        port     : '3306',
        user     : 'myuser',
        password : 'mypass',
        database : 'mydb'
});
connection.connect();

Answer 1

I am afraid that the answers given before experience some lack of relevance. The AWS recommended way of storing this sort of data like connection strings for lambda, is the Systems Manager Parameter Store:

AWS Systems Manager provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords. This enables you to separate your secrets and configuration data from your code.

See also: https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/

Answer 2

I would store that in either a DynamoDB table or an S3 bucket. You can assign an IAM role to the Lambda to allow access to these - maybe read-only.

Alternatively, Lambda's now have environment variables like Elastic Beanstalk and you could set it that way. They can be encrypted though that adds some complexity too.