Amazon Q
Detector Library
CloudFormation detectors (79/79)
Cloudfront Custom SSL CertificateDynamoDB Autoscaling EnabledCLOUD TRAIL CLOUD WATCH LOGSCloudfront Origin FailoverSagemaker Notebook Direct AccessCloudwatch Alarm Action CheckELB Cross Zone Load BalancingDisabled domain loggingElasticsearch Primary NodeS3 Bucket SSL Request OnlyDisabled pitr for global tablesRedshift Backup EnabledRestrict log4j2 message lookupRDS instance logging enabledS3 Bucket replication enabledIAM Profile Not Attached.S3 Bucket Default Encryption With AWS KMSUnsecure encryption of DAX at restDisabled encryption on Aurora at restRestrict wildcard in KMS keyCLOUDFRONT DEFAULT ROOT OBJECT CONFIGUREDNo unrestricted route to igwRDS Auto Version UpgradeSubnet Auto Assign Public IPUnecrypted AWS Redshift using CMKCW Loggroup Retention PeriodEMR Kerberos EnabledRedShift Enhanced VPC RoutingUnencryption not preventedDisabled AWS S3 object versioningEcs Task DefinitionConfigure HTTPS for CloudFront distribution ViewerProtocolPolicyMonitoring Disabled EC2 instancesDisabled iam authenticationAWS S3 public WRITE permissionOver premissive aws private ecrDisabled AWS RDS EncryptionFsx Resources ProtectedCloudtrail S3 Dataevents enabledRestrict IAM permissive role assumptionTimestream database not encryptedRestrict public access on DMS replication instanceRedshift Cluster Maintenance SettingsDB instance backup enabledEKS Endpoint No Public AccessMore Restrictive CIDRenabled_rds_public_access_cloudformationAurora MySQL BacktrackingELB ACM CertificateS3 default lock enabledSagemaker NoteBook Instance KmsExposed secrets in EC2 user dataS3 ignore public acls not trueUnencrypted code buildCloudfront SNI EnabledDynamoDB Table EncryptionExposed secrets in Lambda function environment variablessns_topic_uses_cmk_cloudformationDisabled Neptune loggingAPI GW Resources Type CheckRestricted Common PortsDisabled DynamoDB Point-In-Time RecoveryEBS Optimization Disabled EC2 instancesRestrict assumed IAM role accessAutoscaling Launch ConfigAutoscaling Group ELB Health ChecksImplicit SSH for AWS EKS node groupElasticsearch in VPSDisabled Glue Data Catalog encryptionUnsecured Encryption in transit for EFS volumesEFS Resources Protected By Backup PlanDisabled enforce httpsUnencrypted EBS VolumesRestrict public IP association on EC2 instanceRDS Instance Deletion ProtectionPublic READ bucket ACLnonhttps_load_balancer_cloudformationDisabled AWS Glue security encryptionEC2 Instance In VPC
Exposed secrets in Lambda function environment variables High
The exposure of secrets through Lambda function's environment variables is detected. Make sure that secrets are not exposed by environment variables of Lambda function.
Detector ID
cloudformation/exposed-lambda-env-secret-cloudformation@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1Resources:
2 Resource:
3 Type: "AWS::Lambda::Function"
4 Properties:
5 Description: AWS Lambda Function to initiate the chat with the end user
6 Handler: "index.handler"
7 Role: !GetAtt InitiateChatLambdaExecutionRole.Arn
8 Runtime: "nodejs14.x"
9 MemorySize: 128
10 Timeout: 30
11 Environment:
12 # Noncompliant: hard-coded secrets exist in lambda environment.
13 Variables:
14 key1: AKIAAAAAAAAAAAAAAAAA
15 Code:
16 S3Bucket: !Ref SourceBucket
17 S3Key: !Ref InitiateChatLambdaCodeObject
18 ReservedConcurrentExecutions: 100
19 DeadLetterConfig:
20 TargetArn: "test"
21 VpcConfig:
22 SecurityGroupIds:
23 - sg-12345
24 SubnetIds:
25 - subnet-12345
26 - subnet-67890
27 KmsKeyArn: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abCompliant example
1Resources:
2 Resource:
3 Type: "AWS::Lambda::Function"
4 Properties:
5 Description: AWS Lambda Function to initiate the chat with the end user
6 Handler: "index.handler"
7 Role: !GetAtt InitiateChatLambdaExecutionRole.Arn
8 Runtime: "nodejs14.x"
9 MemorySize: 128
10 Timeout: 30
11 Environment:
12 # Compliant: no hard-coded secrets exist in lambda environment.
13 Variables:
14 key1: not_a_secret
15 Code:
16 S3Bucket: !Ref SourceBucket
17 S3Key: !Ref InitiateChatLambdaCodeObject
18 ReservedConcurrentExecutions: 100
19 DeadLetterConfig:
20 TargetArn: "test"
21 VpcConfig:
22 SecurityGroupIds:
23 - sg-12345
24 SubnetIds:
25 - subnet-12345
26 - subnet-67890
27 KmsKeyArn: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab