Exposed secrets in Lambda function environment variables High

The exposure of secrets through Lambda function's environment variables is detected. Make sure that secrets are not exposed by environment variables of Lambda function.

Detector ID
terraform/exposed-lambda-env-secret-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_lambda_function" "LambdaFunction" {
2  function_name = "IdempotencyFunction"
3  role          = aws_iam_role.IdempotencyFunctionRole.arn
4  runtime       = "python3.11"
5  handler       = "app.lambda_handler"
6  filename      = "lambda.zip"
7  # Noncompliant: Hard-coded secrets exist in lambda environment.
8  environment {
9    variables = {
10      AWS_ACCESS_KEY_ID     = "AKIAIOSFODNN7EXAMPLE",
11      AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
12      AWS_DEFAULT_REGION    = "us-west-2"
13    }
14  }
15  kms_key_arn = aws_kms_key.anyoldguff.arn
16  reserved_concurrent_executions = 100
17  code_signing_config_arn = "123123123"
18  tracing_config {
19    mode = "Active"
20  }
21  vpc_config {
22    subnet_ids         = [aws_subnet.subnet_for_lambda.id]
23    security_group_ids = [aws_security_group.sg_for_lambda.id]
24  }
25  dead_letter_config {
26    target_arn = "test"
27  }
28}

Compliant example

1resource "aws_lambda_function" "IdempotencyFunction" {
2  function_name = "IdempotencyFunction"
3  role          = aws_iam_role.IdempotencyFunctionRole.arn
4  runtime       = "python3.11"
5  handler       = "app.lambda_handler"
6  # Compliant: Hard-coded secrets does not exist in lambda environment.
7  filename      = "lambda.zip"
8  environment {}
9  kms_key_arn = aws_kms_key.anyoldguff.arn
10  code_signing_config_arn = "123123123"
11  reserved_concurrent_executions = 100
12  tracing_config {
13    mode = "Active"
14  }
15  vpc_config {
16    subnet_ids         = [aws_subnet.subnet_for_lambda.id]
17    security_group_ids = [aws_security_group.sg_for_lambda.id]
18  }
19  dead_letter_config {
20    target_arn = "test"
21  }
22}