terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted
semgrep
Author
unknown
Download Count*
License
By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Run Locally
Run in CI
Defintion
rules:
- id: aws-lambda-environment-unencrypted
patterns:
- pattern-inside: |
resource "aws_lambda_function" $ANYTHING {
...
}
- pattern-either:
- patterns:
- pattern: |
environment { ... }
- pattern-not-inside: |
resource $A $B {
...
kms_key_arn = ...
...
}
- patterns:
- pattern: |
kms_key_arn = ...
- pattern-not-inside: |
resource $A $B {
...
environment { ... }
...
}
- pattern: kms_key_arn = ""
message: By default, the AWS Lambda Environment is encrypted using AWS-managed
keys. However, for added security, it's recommended to configure your own
AWS KMS encryption key to protect your environment variables in Lambda.
You can either create a new aws_kms_key resource or use the ARN of an
existing key in your AWS account to do so.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- "CWE-320: CWE CATEGORY: Key Management Errors"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-lambda-environment-unencrypted.tf
resource "aws_lambda_function" "fail" {
function_name = var.function_name
role = aws_iam_role.lambda-messageprocessor.arn
runtime = "python3.6"
handler = "handler.lambda_handler"
filename = data.archive_file.notify.output_path
source_code_hash = data.archive_file.notify.output_base64sha256
reserved_concurrent_executions = var.concurrency
tracing_config {
mode = "PassThrough"
}
# ruleid: aws-lambda-environment-unencrypted
environment {
test="true"
}
}
resource "aws_lambda_function" "failkmsnovars" {
function_name = var.function_name
role = aws_iam_role.lambda-messageprocessor.arn
runtime = "python3.6"
handler = "handler.lambda_handler"
filename = data.archive_file.notify.output_path
source_code_hash = data.archive_file.notify.output_base64sha256
reserved_concurrent_executions = var.concurrency
tracing_config {
mode = "PassThrough"
}
# ruleid: aws-lambda-environment-unencrypted
kms_key_arn = aws_kms_key.anyoldguff.arn
}
resource "aws_lambda_function" "ignore" {
function_name = var.function_name
role = aws_iam_role.lambda-messageprocessor.arn
runtime = "python3.6"
handler = "handler.lambda_handler"
filename = data.archive_file.notify.output_path
source_code_hash = data.archive_file.notify.output_base64sha256
reserved_concurrent_executions = var.concurrency
tracing_config {
mode = "PassThrough"
}
}
resource "aws_lambda_function" "pass" {
function_name = var.function_name
role = aws_iam_role.lambda-messageprocessor.arn
runtime = "python3.6"
handler = "handler.lambda_handler"
filename = data.archive_file.notify.output_path
source_code_hash = data.archive_file.notify.output_base64sha256
reserved_concurrent_executions = var.concurrency
tracing_config {
mode = "PassThrough"
}
environment {
test="true"
}
kms_key_arn = aws_kms_key.anyoldguff.arn
}
resource "aws_lambda_function" "failasempty" {
function_name = var.function_name
role = aws_iam_role.lambda-messageprocessor.arn
runtime = "python3.6"
handler = "handler.lambda_handler"
filename = data.archive_file.notify.output_path
source_code_hash = data.archive_file.notify.output_base64sha256
reserved_concurrent_executions = var.concurrency
tracing_config {
mode = "PassThrough"
}
# ruleid: aws-lambda-environment-unencrypted
kms_key_arn = ""
}
Short Link: https://sg.run/x4lz