turbot/steampipe-mod-aws-compliance

Control: Lambda functions variable should not have any sensitive data

Description

Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.lambda_function_variables_no_sensitive_data

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.lambda_function_variables_no_sensitive_data --share

SQL

This control uses a named query:

with function_vaiable_with_sensitive_data as (
select
distinct arn,
name
from
aws_lambda_function
join jsonb_each_text(environment_variables) d on true
where
d.key ilike any (array['%pass%', '%secret%', '%token%', '%key%'])
or d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
or d.value ilike any (array['%pass%', '%secret%', '%token%', '%key%'])
or d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
)
select
f.arn as resource,
case
when b.arn is null then 'ok'
else 'alarm'
end as status,
case
when b.arn is null then f.title || ' has no sensitive data.'
else f.title || ' has potential sensitive data.'
end as reason
, region, account_id
from
aws_lambda_function as f
left join function_vaiable_with_sensitive_data b on f.arn = b.arn;

Tags