turbot/aws_compliance

Query: lambda_function_variables_no_sensitive_data

Usage

powerpipe query aws_compliance.query.lambda_function_variables_no_sensitive_data

Steampipe Tables

SQL

with function_vaiable_with_sensitive_data as (
select
distinct arn,
name
from
aws_lambda_function
join jsonb_each_text(environment_variables) d on true
where
d.key ilike any (array['%pass%', '%secret%', '%token%', '%key%'])
or d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
or d.value ilike any (array['%pass%', '%secret%', '%token%', '%key%'])
or d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
)
select
f.arn as resource,
case
when b.arn is null then 'ok'
else 'alarm'
end as status,
case
when b.arn is null then f.title || ' has no sensitive data.'
else f.title || ' has potential sensitive data.'
end as reason
, region, account_id
from
aws_lambda_function as f
left join function_vaiable_with_sensitive_data b on f.arn = b.arn;

Controls

The query is being used by the following controls: