Hardcoded AWS Access Key In Lambda

  • Query id: f34508b9-f574-4330-b42d-88c44cced645
  • Query name: Hardcoded AWS Access Key In Lambda
  • Platform: Ansible
  • Severity: High
  • Category: Secret Management
  • CWE: Ongoing
  • URL: Github

Description

Lambda access/secret keys should not be hardcoded
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: looped creation
  community.aws.lambda:
    aws_access_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
    name: '{{ item.name }}'
    state: present
    zip_file: '{{ item.zip_file }}'
    runtime: 'python2.7'
    role: 'arn:aws:iam::987654321012:role/lambda_basic_execution'
    handler: 'hello_python.my_handler'
    vpc_subnet_ids:
    - subnet-123abcde
    - subnet-edcba321
    vpc_security_group_ids:
    - sg-123abcde
    - sg-edcba321
    environment_variables: '{{ item.env_vars }}'
    tags:
      key1: 'value1'
  loop:
  - name: HelloWorld
    zip_file: hello-code.zip
    env_vars:
      key1: "first"
      key2: "second"
  - name: ByeBye
    zip_file: bye-code.zip
    env_vars:
      key1: "1"
      key2: "2"
- name: remove tags
  community.aws.lambda:
    aws_access_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
    name: 'Lambda function'
    state: present
    zip_file: 'code.zip'
    runtime: 'python2.7'
    role: 'arn:aws:iam::987654321012:role/lambda_basic_execution'
    handler: 'hello_python.my_handler'
    tags: {}

- name: Delete Lambda functions HelloWorld and ByeBye
  community.aws.lambda:
    name: '{{ item }}'
    state: absent
  loop:
  - HelloWorld
  - ByeBye

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: looped creation
  community.aws.lambda:
    name: '{{ item.name }}'
    state: present
    zip_file: '{{ item.zip_file }}'
    runtime: python2.7
    role: arn:aws:iam::987654321012:role/lambda_basic_execution
    handler: hello_python.my_handler
    vpc_subnet_ids:
    - subnet-123abcde
    - subnet-edcba321
    vpc_security_group_ids:
    - sg-123abcde
    - sg-edcba321
    environment_variables: '{{ item.env_vars }}'
    tags:
      key1: value1
  loop:
  - name: HelloWorld
    zip_file: hello-code.zip
    env_vars:
      key1: first
      key2: second
  - name: ByeBye
    zip_file: bye-code.zip
    env_vars:
      key1: '1'
      key2: '2'
- name: remove tags
  community.aws.lambda:
    name: Lambda function
    state: present
    zip_file: code.zip
    runtime: python2.7
    role: arn:aws:iam::987654321012:role/lambda_basic_execution
    handler: hello_python.my_handler
    tags: {}

- name: Delete Lambda functions HelloWorld and ByeBye
  community.aws.lambda:
    name: '{{ item }}'
    state: absent
  loop:
  - HelloWorld
  - ByeBye