For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-serverless-function-environment-variables-not-encrypted.md. A documentation index is available at /llms.txt.

Serverless function environment variables not encrypted

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-serverless-function-environment-variables-not-encrypted

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Encryption

Learn More

Description

Serverless functions that define environment variables must encrypt those variables with a customer-managed AWS KMS key to protect secrets and configuration data from exposure if the function configuration is accessed or leaked. For AWS::Serverless::Function resources that include Properties.Environment.Variables, the Properties.KmsKeyArn property must be defined and set to a valid KMS key ARN or alias (not null). Resources missing KmsKeyArn or where KmsKeyArn is null will be flagged. Example secure configuration referencing a KMS key:

MyFunction:
  Type: AWS::Serverless::Function
  Properties:
    Runtime: nodejs14.x
    Handler: index.handler
    Environment:
      Variables:
        DB_PASSWORD: mypassword
    KmsKeyArn: !GetAtt MyKmsKey.Arn

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  Function1:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
      ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name
      ImageConfig:
        Command:
          - "app.lambda_handler"
        EntryPoint:
          - "entrypoint1"
        WorkingDirectory: "workDir"
      Tags:
        - Key: Type
          Value: AWS Serverless Function
      DeadLetterConfig:
        TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa
        Type: SQS
      Environment:
        Variables:
          key: value
      KmsKeyArn: arn:aws:kms:us-west-1:123456789123:key/12345678-12cc-45bb-98aa-9876543210cc

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  Function:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
      ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name
      ImageConfig:
        Command:
          - "app.lambda_handler"
        EntryPoint:
          - "entrypoint1"
        WorkingDirectory: "workDir"
      Tags:
        - Key: Type
          Value: AWS Serverless Function
      DeadLetterConfig:
        TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa
        Type: SQS
      Environment:
        Variables:
          key: value