terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-lambda-environment-credentials
    patterns:
      - pattern-inside: |
          resource "$ANYTING" $ANYTHING {
            ...
            environment {
              variables = {
                ...
              }
            }
            ...
          }
      - pattern-either:
          - pattern-inside: |
              AWS_ACCESS_KEY_ID = "$Y"
          - pattern-regex: |
              (?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])
          - pattern-inside: |
              AWS_SECRET_ACCESS_KEY = "$Y"
          - pattern-regex: |
              (?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])
      - focus-metavariable: $Y
    message: A hard-coded credential was detected. It is not recommended  to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary.  It is recommended to
      use environment variables to  securely provide credentials or retrieve
      credentials from  a secure vault or HSM (Hardware Security Module).
    metadata:
      category: security
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      technology:
        - aws
        - terraform
        - secrets
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: ERROR

Examples

aws-lambda-environment-credentials.tf

# pass

resource "aws_lambda_function" "pass" {
  function_name = "test-env"
  role = ""
  runtime = "python3.8"

  environment {
    variables = {
      AWS_DEFAULT_REGION = "us-west-2"
    }
  }
}

resource "aws_lambda_function" "no_env" {
  function_name = "test-env"
  role = ""
  runtime = "python3.8"
}

# fail

resource "aws_lambda_function" "fail" {
  function_name = "stest-env"
  role = ""
  runtime = "python3.8"

  environment {
    variables = {
      # ruleid: aws-lambda-environment-credentials
      AWS_ACCESS_KEY_ID     = "AKIAIOSFODNN7EXAMPLE",
      # ruleid: aws-lambda-environment-credentials
      AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
      AWS_DEFAULT_REGION    = "us-west-2"
    }
  }
}