Hardcoded AWS Access Key In Lambda
- Query id: 2564172f-c92b-4261-9acd-464aed511696
- Query name: Hardcoded AWS Access Key In Lambda
- Platform: CloudFormation
- Severity: High
- Category: Secret Management
- CWE: Ongoing
- URL: Github
Description¶
Lambda access/secret keys should not be hardcoded
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
LambdaFunction3:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: arn:aws:iam::123456789012:role/lambda-role
Environment:
Variables:
foo: "1234567890123456789012345678901234567890$"
databaseName: lambdadb
databaseUser: admin
Code:
S3Bucket: my-bucket
S3Key: function.zip
Runtime: nodejs12.x
Timeout: 5
TracingConfig:
Mode: Active
VpcConfig:
SecurityGroupIds:
- sg-085912345678492fb
SubnetIds:
- subnet-071f712345678e7c8
- subnet-07fd123456788a036
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
LambdaFunction4:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: arn:aws:iam::123456789012:role/lambda-role
Environment:
Variables:
foo: "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
Code:
S3Bucket: my-bucket
S3Key: function.zip
Runtime: nodejs12.x
Timeout: 5
TracingConfig:
Mode: Active
VpcConfig:
SecurityGroupIds:
- sg-085912345678492fb
SubnetIds:
- subnet-071f712345678e7c8
- subnet-07fd123456788a036
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "VPC function.",
"Resources": {
"LambdaFunction5": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "my-bucket",
"S3Key": "function.zip"
},
"Runtime": "nodejs12.x",
"Timeout": 5,
"TracingConfig": {
"Mode": "Active"
},
"VpcConfig": {
"SecurityGroupIds": [
"sg-085912345678492fb"
],
"SubnetIds": [
"subnet-071f712345678e7c8",
"subnet-07fd123456788a036"
]
},
"Handler": "index.handler",
"Role": "arn:aws:iam::123456789012:role/lambda-role",
"Environment": {
"Variables": {
"foo": "1234567890123456789012345678901234567890$",
"databaseName": "lambdadb",
"databaseUser": "admin"
}
}
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "VPC function.",
"Resources": {
"LambdaFunction6": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "my-bucket",
"S3Key": "function.zip"
},
"Runtime": "nodejs12.x",
"Timeout": 5,
"TracingConfig": {
"Mode": "Active"
},
"VpcConfig": {
"SecurityGroupIds": [
"sg-085912345678492fb"
],
"SubnetIds": [
"subnet-071f712345678e7c8",
"subnet-07fd123456788a036"
]
},
"Handler": "index.handler",
"Role": "arn:aws:iam::123456789012:role/lambda-role",
"Environment": {
"Variables": {
"foo": "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
}
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: arn:aws:iam::123456789012:role/lambda-role
Environment:
Variables:
foo: "test"
Code:
S3Bucket: my-bucket
S3Key: function.zip
Runtime: nodejs12.x
Timeout: 5
TracingConfig:
Mode: Active
VpcConfig:
SecurityGroupIds:
- sg-085912345678492fb
SubnetIds:
- subnet-071f712345678e7c8
- subnet-07fd123456788a036
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "VPC function.",
"Resources": {
"LambdaFunction2": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "my-bucket",
"S3Key": "function.zip"
},
"Runtime": "nodejs12.x",
"Timeout": 5,
"TracingConfig": {
"Mode": "Active"
},
"VpcConfig": {
"SecurityGroupIds": [
"sg-085912345678492fb"
],
"SubnetIds": [
"subnet-071f712345678e7c8",
"subnet-07fd123456788a036"
]
},
"Handler": "index.handler",
"Role": "arn:aws:iam::123456789012:role/lambda-role",
"Environment": {
"Variables": {
"foo": "test"
}
}
}
}
}
}