The exposure of secrets through Lambda function's environment variables is detected. Make sure that secrets are not exposed by environment variables of Lambda function.
1resource "aws_lambda_function" "LambdaFunction" {
2 function_name = "IdempotencyFunction"
3 role = aws_iam_role.IdempotencyFunctionRole.arn
4 runtime = "python3.11"
5 handler = "app.lambda_handler"
6 filename = "lambda.zip"
7 # Noncompliant: Hard-coded secrets exist in lambda environment.
8 environment {
9 variables = {
10 AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE",
11 AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
12 AWS_DEFAULT_REGION = "us-west-2"
13 }
14 }
15 kms_key_arn = aws_kms_key.anyoldguff.arn
16 reserved_concurrent_executions = 100
17 code_signing_config_arn = "123123123"
18 tracing_config {
19 mode = "Active"
20 }
21 vpc_config {
22 subnet_ids = [aws_subnet.subnet_for_lambda.id]
23 security_group_ids = [aws_security_group.sg_for_lambda.id]
24 }
25 dead_letter_config {
26 target_arn = "test"
27 }
28}
1resource "aws_lambda_function" "IdempotencyFunction" {
2 function_name = "IdempotencyFunction"
3 role = aws_iam_role.IdempotencyFunctionRole.arn
4 runtime = "python3.11"
5 handler = "app.lambda_handler"
6 # Compliant: Hard-coded secrets does not exist in lambda environment.
7 filename = "lambda.zip"
8 environment {}
9 kms_key_arn = aws_kms_key.anyoldguff.arn
10 code_signing_config_arn = "123123123"
11 reserved_concurrent_executions = 100
12 tracing_config {
13 mode = "Active"
14 }
15 vpc_config {
16 subnet_ids = [aws_subnet.subnet_for_lambda.id]
17 security_group_ids = [aws_security_group.sg_for_lambda.id]
18 }
19 dead_letter_config {
20 target_arn = "test"
21 }
22}