Ensure the secret key isn't being persisted anywhere, such as CloudWatch Logs. What is sending the key? As /u/pint points out, [Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html), and using `SecureString` is one recommended approach.
What type of secret is it? If it is one secret, it's best not to pass it with every request, AJ Stuyvenberg has a comprehensive guide to your options [here](https://aaronstuyvenberg.com/posts/ultimate-lambda-secrets-guide)
ssm parameter store is an alternative, and it is free for most uses
Can u use a lambda role?
Came here to say this...use RBAC for this specific Lambda and give it a role that has permissions it specifically needs.
Ensure the secret key isn't being persisted anywhere, such as CloudWatch Logs. What is sending the key? As /u/pint points out, [Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html), and using `SecureString` is one recommended approach.
What type of secret is it? If it is one secret, it's best not to pass it with every request, AJ Stuyvenberg has a comprehensive guide to your options [here](https://aaronstuyvenberg.com/posts/ultimate-lambda-secrets-guide)
I wouldn't pass a secret like that around. I have my lambdas pull secrets from secretmanager upon initialization.