Lambda Function Without Dead Letter Queue
- Query id: 720f44cf-285e-4b69-8f72-835e6bc1dceb
- Query name: Lambda Function Without Dead Letter Queue
- Platform: Terraform
- Severity: Low
- Category: Insecure Configurations
- CWE: 390
- Risk score: 1.0
- URL: Github
Description¶
AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_role" "lambda_exec_role" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
resource "aws_lambda_function" "lambda_without_dlq" {
function_name = "lambdaWithoutDLQ"
role = aws_iam_role.lambda_exec_role.arn
handler = "index.handler"
runtime = "nodejs18.x"
filename = "lambda.zip"
}
Positive test num. 2 - tf file
resource "aws_iam_role" "lambda_exec_role" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
resource "aws_lambda_function" "lambda_with_incomplete_dlq" {
function_name = "lambdaWithIncompleteDLQ"
role = aws_iam_role.lambda_exec_role.arn
handler = "index.handler"
runtime = "python3.11"
filename = "lambda.zip"
dead_letter_config {
target_arn = ""
}
}
Positive test num. 3 - tf file
resource "aws_iam_role" "lambda_exec_role" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
module "lambda_with_incomplete_dlq" {
source = "terraform-aws-modules/lambda/aws"
version = "~> 5.0"
function_name = "lambdaWithIncompleteDLQ"
role = aws_iam_role.lambda_exec_role.arn
handler = "index.handler"
runtime = "python3.11"
filename = "lambda.zip"
}
Positive test num. 4 - tf file
resource "aws_iam_role" "lambda_exec_role" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
module "lambda_with_incomplete_dlq" {
source = "terraform-aws-modules/lambda/aws"
version = "~> 5.0"
function_name = "lambdaWithIncompleteDLQ"
role = aws_iam_role.lambda_exec_role.arn
handler = "index.handler"
runtime = "python3.11"
filename = "lambda.zip"
dead_letter_target_arn = ""
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_role" "lambda_exec_role" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
resource "aws_lambda_function" "lambda_with_sns_dlq" {
function_name = "lambdaWithSnsDLQ"
role = aws_iam_role.lambda_exec_role.arn
handler = "index.handler"
runtime = "nodejs18.x"
filename = "lambda.zip"
dead_letter_config {
target_arn = "arn:aws:sns:us-east-1:123456789012:my-dlq-topic"
}
}
Negative test num. 2 - tf file
resource "aws_iam_role" "lambda_exec_role" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
module "lambda_with_incomplete_dlq" {
source = "terraform-aws-modules/lambda/aws"
version = "~> 5.0"
function_name = "lambdaWithIncompleteDLQ"
role = aws_iam_role.lambda_exec_role.arn
handler = "index.handler"
runtime = "python3.11"
filename = "lambda.zip"
dead_letter_target_arn = "arn:aws:sns:us-east-1:123456789012:my-dlq-topic"
}