AWS offers in the lambda configuration (aws console) option to encrypt the environment variables.
Encryption in transit → Enable helpers for encryption in transit
I can’t find any reference for this in serverless framework.
The result right now is that all env vars declared in serverless.yml are viewable to anyone with read permissions in the console, this is a bad security practice.