Storing critical secrets in Lambda environment variables is generally not a good idea;
Although the environment variables are encrypted at rest, users with access to the lambda configuration can easily see them as shown in this scenario.
One way to prevent this is to use AWS KMS to encrypt them. Link for more info: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-environment-variables-iam-access/
For the SSRF vulnerability, the best way to protect against this kind of attack is not to use any of user’s input as part of any forwarding traffic.
However, if any part of the user’s input is used, the user’s input must be sanitized and well tested taking into account any other kind of user’s input.
(For example, in this scenario we could use octal instead of IP address for the SSRF attack which will work as well: “http://x.x.x.x/?url=http://025177524776/latest/meta-data/iam/security-credentials/”.).
Wherever possible, you should also whitelist allowed domains and protocols.