JAVA_TOOLS_OPTIONS values displayed in CloudWatch - security concern for exposing trustStore password

[akhchan]

Hi,
I've been communicating with AWS support on this issue and it's been verified that JAVA_TOOLS_OPTIONS is getting displayed from Runtime Init phase. I'm filing this issue to request this to be optionally turned off so that custom SSL trustStore password can be hidden in the logs for custom certificates to be used for on-premise connection.

To reproduce,

1. set this in SAM's Lambda for Java (snippet here):

Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: HelloWorldFunction
Handler: helloworld.App::handleRequest
Runtime: java8
MemorySize: 2048
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1 # More info about tiered compilation https://aws.amazon.com/blogs/compute/optimizing-aws-lambda-function-performance-for-java/

2. Deploy and run the Lambda on AWS (not locally)
3. Go to Cloudwatch to find the text:
   
   

Ultimately, I need to pass in SSL information to override the trustStore used in runtime with below, without exposing the password in cloudwatch.
JAVA_TOOL_OPTIONS: "-Djavax.net.ssl.trustStore=./mycacerts -Djavax.net.ssl.trustStorePassword=xyz"