Serverless Function Environment Variables Not Encrypted

  • Query id: 4495bc5d-4d1e-4a26-ae92-152d18195648
  • Query name: Serverless Function Environment Variables Not Encrypted
  • Platform: ServerlessFW
  • Severity: Medium
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

Serverless Function should encrypt environment variables
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yml file
frameworkVersion: '2'
service:
  name: service-name
  awsKmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash

provider:
  name: aws
  environment:
    TABLE_NAME: tableName1

functions:
  hello: # this function will OVERWRITE the service level environment config above
    handler: handler.hello
    environment:
      TABLE_NAME: tableName2
Positive test num. 2 - yml file
frameworkVersion: '2'
service:
  name: service-name
  awsKmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash

provider:
  name: aws
  environment:
    TABLE_NAME: tableName1

functions:
  hello: # this function will OVERWRITE the service level environment config above
    handler: handler.hello
    kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
    environment:
      TABLE_NAME: tableName2
  goodbye: # this function will INHERIT the service level environment config above
    handler: handler.goodbye
    kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash

Code samples without security vulnerabilities

Negative test num. 1 - yml file
frameworkVersion: '2'
service:
  name: service-name
  awsKmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash

provider:
  name: aws
  kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
  environment:
    TABLE_NAME: tableName1

functions:
  hello: # this function will OVERWRITE the service level environment config above
    handler: handler.hello
    kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
    environment:
      TABLE_NAME: tableName2
  goodbye: # this function will INHERIT the service level environment config above
    handler: handler.goodbye
    kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
Negative test num. 2 - yml file
frameworkVersion: '2'
service:
  name: service-name
  awsKmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash

provider:
  name: aws
  kmsKeyArn: arn:aws:kms:us-east-1:XXXXXX:key/some-hash
  environment:
    TABLE_NAME: tableName1

functions:
  hello: # this function will OVERWRITE the service level environment config above
    handler: handler.hello