--- title: Hardcoded AWS access key in Lambda description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Hardcoded AWS access key in Lambda --- # Hardcoded AWS access key in Lambda {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-hardcoded-aws-access-key-in-lambda` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Secret Management #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment) ### Description{% #description %} Lambda functions must not include hardcoded AWS access keys or secret access keys in environment variables because embedded credentials can be exposed via function configuration, logs, snapshots, or code and allow unauthorized access to other AWS resources. This rule inspects `AWS::Lambda::Function` resources and verifies the `Properties.Environment.Variables` map does not contain values matching common AWS access key ID patterns (`20` uppercase alphanumeric characters) or secret access key patterns (`40` base64-like characters). Use IAM execution roles for permissions or store secrets in AWS Secrets Manager or AWS Systems Manager Parameter Store `SecureString` parameters and reference them from the function. Resources with environment variable values that match the access-key regex will be flagged. Secure example using a Secrets Manager dynamic reference: ```yaml MyFunction: Type: AWS::Lambda::Function Properties: FunctionName: my-function Role: arn:aws:iam::123456789012:role/lambda-exec-role Handler: index.handler Runtime: nodejs14.x Environment: Variables: DB_PASSWORD: '{{resolve:secretsmanager:my-db-secret:SecretString:password}}' ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: LambdaFunction: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: arn:aws:iam::123456789012:role/lambda-role Environment: Variables: foo: "test" Code: S3Bucket: my-bucket S3Key: function.zip Runtime: nodejs12.x Timeout: 5 TracingConfig: Mode: Active VpcConfig: SecurityGroupIds: - sg-085912345678492fb SubnetIds: - subnet-071f712345678e7c8 - subnet-07fd123456788a036 ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "VPC function.", "Resources": { "LambdaFunction2": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": "my-bucket", "S3Key": "function.zip" }, "Runtime": "nodejs12.x", "Timeout": 5, "TracingConfig": { "Mode": "Active" }, "VpcConfig": { "SecurityGroupIds": [ "sg-085912345678492fb" ], "SubnetIds": [ "subnet-071f712345678e7c8", "subnet-07fd123456788a036" ] }, "Handler": "index.handler", "Role": "arn:aws:iam::123456789012:role/lambda-role", "Environment": { "Variables": { "foo": "test" } } } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: LambdaFunction3: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: arn:aws:iam::123456789012:role/lambda-role Environment: Variables: foo: "1234567890123456789012345678901234567890$" databaseName: lambdadb databaseUser: admin Code: S3Bucket: my-bucket S3Key: function.zip Runtime: nodejs12.x Timeout: 5 TracingConfig: Mode: Active VpcConfig: SecurityGroupIds: - sg-085912345678492fb SubnetIds: - subnet-071f712345678e7c8 - subnet-07fd123456788a036 ``` ```yaml AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: LambdaFunction4: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: arn:aws:iam::123456789012:role/lambda-role Environment: Variables: foo: "12345678901234567890123456789012345678901234567890123456789012345678901234567890$" Code: S3Bucket: my-bucket S3Key: function.zip Runtime: nodejs12.x Timeout: 5 TracingConfig: Mode: Active VpcConfig: SecurityGroupIds: - sg-085912345678492fb SubnetIds: - subnet-071f712345678e7c8 - subnet-07fd123456788a036 ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "VPC function.", "Resources": { "LambdaFunction5": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": "my-bucket", "S3Key": "function.zip" }, "Runtime": "nodejs12.x", "Timeout": 5, "TracingConfig": { "Mode": "Active" }, "VpcConfig": { "SecurityGroupIds": [ "sg-085912345678492fb" ], "SubnetIds": [ "subnet-071f712345678e7c8", "subnet-07fd123456788a036" ] }, "Handler": "index.handler", "Role": "arn:aws:iam::123456789012:role/lambda-role", "Environment": { "Variables": { "foo": "1234567890123456789012345678901234567890$", "databaseName": "lambdadb", "databaseUser": "admin" } } } } } } ```