Control: Lambda functions variable should not have any sensitive data
Description
Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.lambda_function_variables_no_sensitive_dataSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.lambda_function_variables_no_sensitive_data --shareSQL
This control uses a named query:
with function_vaiable_with_sensitive_data as ( select distinct (address ) as name from terraform_resource join jsonb_each_text(attributes_std -> 'environment' -> 'variables') d on true where type = 'aws_lambda_function' and ( d.key ilike any (array['%pass%', '%secret%', '%token%', '%key%']) or d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' or d.value ilike any (array['%pass%', '%secret%', '%token%', '%key%']) or d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' ))select r.address as resource, case when s.name is not null then 'alarm' else 'ok' end as status, split_part(r.address, '.', 2) || case when s.name is not null then ' has potential sensitive data' else ' has no sensitive data' end || '.' as reason , path || ':' || start_linefrom terraform_resource as r left join function_vaiable_with_sensitive_data as s on s.name = r.addresswhere r.type = 'aws_lambda_function';