turbot/terraform_aws_compliance

Query: lambda_function_variables_no_sensitive_data

Usage

powerpipe query terraform_aws_compliance.query.lambda_function_variables_no_sensitive_data

Steampipe Tables

SQL

with function_vaiable_with_sensitive_data as (
select
distinct (address ) as name
from
terraform_resource
join jsonb_each_text(attributes_std -> 'environment' -> 'variables') d on true
where
type = 'aws_lambda_function'
and (
d.key ilike any (array['%pass%', '%secret%', '%token%', '%key%'])
or d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
or d.value ilike any (array['%pass%', '%secret%', '%token%', '%key%'])
or d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
)
)
select
r.address as resource,
case
when s.name is not null then 'alarm'
else 'ok'
end as status,
split_part(r.address, '.', 2) || case
when s.name is not null then ' has potential sensitive data'
else ' has no sensitive data'
end || '.' as reason
, path || ':' || start_line
from
terraform_resource as r
left join function_vaiable_with_sensitive_data as s on s.name = r.address
where
r.type = 'aws_lambda_function';

Controls

The query is being used by the following controls: