For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-hardcoded-aws-access-key-in-lambda.md. A documentation index is available at /llms.txt.

Hardcoded AWS access key in Lambda

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-hardcoded-aws-access-key-in-lambda

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Secret Management

Learn More

Description

Lambda functions must not include hardcoded AWS access keys or secret access keys in environment variables because embedded credentials can be exposed via function configuration, logs, snapshots, or code and allow unauthorized access to other AWS resources.

This rule inspects AWS::Lambda::Function resources and verifies the Properties.Environment.Variables map does not contain values matching common AWS access key ID patterns (20 uppercase alphanumeric characters) or secret access key patterns (40 base64-like characters). Use IAM execution roles for permissions or store secrets in AWS Secrets Manager or AWS Systems Manager Parameter Store SecureString parameters and reference them from the function. Resources with environment variable values that match the access-key regex will be flagged.

Secure example using a Secrets Manager dynamic reference:

MyFunction:
  Type: AWS::Lambda::Function
  Properties:
    FunctionName: my-function
    Role: arn:aws:iam::123456789012:role/lambda-exec-role
    Handler: index.handler
    Runtime: nodejs14.x
    Environment:
      Variables:
        DB_PASSWORD: '{{resolve:secretsmanager:my-db-secret:SecretString:password}}'

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: arn:aws:iam::123456789012:role/lambda-role
      Environment:
        Variables:
          foo: "test"
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Runtime: nodejs12.x
      Timeout: 5
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - sg-085912345678492fb
        SubnetIds:
          - subnet-071f712345678e7c8
          - subnet-07fd123456788a036

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "VPC function.",
  "Resources": {
    "LambdaFunction2": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": "my-bucket",
          "S3Key": "function.zip"
        },
        "Runtime": "nodejs12.x",
        "Timeout": 5,
        "TracingConfig": {
          "Mode": "Active"
        },
        "VpcConfig": {
          "SecurityGroupIds": [
            "sg-085912345678492fb"
          ],
          "SubnetIds": [
            "subnet-071f712345678e7c8",
            "subnet-07fd123456788a036"
          ]
        },
        "Handler": "index.handler",
        "Role": "arn:aws:iam::123456789012:role/lambda-role",
        "Environment": {
          "Variables": {
            "foo": "test"
          }
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
  LambdaFunction3:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: arn:aws:iam::123456789012:role/lambda-role
      Environment:
        Variables:
          foo: "1234567890123456789012345678901234567890$"
          databaseName: lambdadb
          databaseUser: admin
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Runtime: nodejs12.x
      Timeout: 5
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - sg-085912345678492fb
        SubnetIds:
          - subnet-071f712345678e7c8
          - subnet-07fd123456788a036

AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Resources:
  LambdaFunction4:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: arn:aws:iam::123456789012:role/lambda-role
      Environment:
        Variables:
          foo: "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Runtime: nodejs12.x
      Timeout: 5
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - sg-085912345678492fb
        SubnetIds:
          - subnet-071f712345678e7c8
          - subnet-07fd123456788a036

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "VPC function.",
  "Resources": {
    "LambdaFunction5": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "S3Bucket": "my-bucket",
          "S3Key": "function.zip"
        },
        "Runtime": "nodejs12.x",
        "Timeout": 5,
        "TracingConfig": {
          "Mode": "Active"
        },
        "VpcConfig": {
          "SecurityGroupIds": [
            "sg-085912345678492fb"
          ],
          "SubnetIds": [
            "subnet-071f712345678e7c8",
            "subnet-07fd123456788a036"
          ]
        },
        "Handler": "index.handler",
        "Role": "arn:aws:iam::123456789012:role/lambda-role",
        "Environment": {
          "Variables": {
            "foo": "1234567890123456789012345678901234567890$",
            "databaseName": "lambdadb",
            "databaseUser": "admin"
          }
        }
      }
    }
  }
}