Serverless function without dead-letter queue

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Serverless function without dead-letter queue

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: cb2f612b-ed42-4ff5-9fb9-255c73d39a18

Cloud Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Insecure Configurations

Learn More

Provider Reference

Description

Serverless functions without a dead-letter queue (DLQ) can lose events from failed asynchronous invocations and make failure diagnosis and recovery difficult. For AWS::Serverless::Function resources, the DeadLetterConfig property must be defined and not null. The DeadLetterConfig should include a valid TargetArn that points to a durable target such as an Amazon SQS queue or an Amazon SNS topic; resources missing DeadLetterConfig or with it set to null will be flagged.

Secure configuration example:

MyDeadLetterQueue:
  Type: AWS::SQS::Queue

MyFunction:
  Type: AWS::Serverless::Function
  Properties:
    Handler: index.handler
    Runtime: nodejs14.x
    DeadLetterConfig:
      TargetArn: !GetAtt MyDeadLetterQueue.Arn

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  Function1:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
      ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name
      ImageConfig:
        Command:
          - "app.lambda_handler"
        EntryPoint:
          - "entrypoint1"
        WorkingDirectory: "workDir"
      Tags:
        - Key: Type
          Value: AWS Serverless Function
      DeadLetterConfig:
        TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa
        Type: SQS

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  Function:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
      ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name
      ImageConfig:
        Command:
          - "app.lambda_handler"
        EntryPoint:
          - "entrypoint1"
        WorkingDirectory: "workDir"
      Tags:
        - Key: Type
          Value: AWS Serverless Function