fix(query): resolve false positive on Hardcoded AWS Access Key In Lambda #7074

cx-prathmesh-borle · cx-prathmesh-borle · commit 6b96dbc127c5 · 2026-03-23T04:12:42.000+05:30
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/query.rego b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/query.rego
@@ -1,25 +1,51 @@
 package Cx
 
+import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
 
+sensitive_var_pattern := "(?i)(access.?key|secret.?key|aws.?(key|secret|token|credential)|credential|secret.?access)"
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::Lambda::Function"
+	properties := resource.Properties
+
+	envVars := properties.Environment.Variables
+	some var
+	re_match("(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}", envVars[var])
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.Environment.Variables", [key]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain a hardcoded AWS Access Key", [key]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains a hardcoded AWS Access Key", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "Environment", "Variables", var], []),
+	}
+}
+
 CxPolicy[result] {
 	document := input.document[i]
 	resource := document.Resources[key]
 	resource.Type == "AWS::Lambda::Function"
 	properties := resource.Properties
 
 	envVars := properties.Environment.Variables
-	regexAccessKey := ["[A-Za-z0-9/+=]{40}", "[A-Z0-9]{20}"]
 	some var
-	re_match(regexAccessKey[_], envVars[var])
+	re_match(sensitive_var_pattern, var)
+	re_match("^[A-Za-z0-9/+=]{40}$", envVars[var])
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, key),
 		"searchKey": sprintf("Resources.%s.Properties.Environment.Variables", [key]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain access key", [key]),
-		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains access key", [key]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain a hardcoded AWS Secret Key", [key]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains a hardcoded AWS Secret Key", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "Environment", "Variables", var], []),
 	}
 }
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative3.yaml b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative3.yaml
@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  LambdaFunctionSafe:
+    Type: AWS::Lambda::Function
+    Properties:
+      Handler: index.handler
+      Role: arn:aws:iam::123456789012:role/lambda-role
+      Environment:
+        Variables:
+          foo: "12345678901234567890"
+          DATA_HASH: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+      Code:
+        S3Bucket: my-bucket
+        S3Key: function.zip
+      Runtime: nodejs18.x
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative4.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative4.json
@@ -0,0 +1,23 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "LambdaFunctionSafe2": {
+      "Type": "AWS::Lambda::Function",
+      "Properties": {
+        "Handler": "index.handler",
+        "Role": "arn:aws:iam::123456789012:role/lambda-role",
+        "Environment": {
+          "Variables": {
+            "foo": "12345678901234567890",
+            "DATA_HASH": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+          }
+        },
+        "Code": {
+          "S3Bucket": "my-bucket",
+          "S3Key": "function.zip"
+        },
+        "Runtime": "nodejs18.x"
+      }
+    }
+  }
+}
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive1.yaml b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive1.yaml
@@ -8,7 +8,7 @@ Resources:
       Role: arn:aws:iam::123456789012:role/lambda-role
       Environment:
         Variables:
-          foo: "1234567890123456789012345678901234567890$"
+          AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE"
           databaseName: lambdadb
           databaseUser: admin
       Code:
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive2.yaml b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive2.yaml
@@ -8,7 +8,7 @@ Resources:
       Role: arn:aws:iam::123456789012:role/lambda-role
       Environment:
         Variables:
-          foo: "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
+          AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive3.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive3.json
@@ -27,7 +27,7 @@
         "Role": "arn:aws:iam::123456789012:role/lambda-role",
         "Environment": {
           "Variables": {
-            "foo": "1234567890123456789012345678901234567890$",
+            "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
             "databaseName": "lambdadb",
             "databaseUser": "admin"
           }
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive4.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive4.json
@@ -27,7 +27,7 @@
         "Role": "arn:aws:iam::123456789012:role/lambda-role",
         "Environment": {
           "Variables": {
-            "foo": "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
+            "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
           }
         }
       }
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json
@@ -2,25 +2,25 @@
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 10,
+    "line": 11,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 10,
+    "line": 11,
     "fileName": "positive2.yaml"
   },
   {
-    "line": 29,
-    "fileName": "positive3.json",
     "queryName": "Hardcoded AWS Access Key In Lambda",
-    "severity": "HIGH"
+    "severity": "HIGH",
+    "line": 30,
+    "fileName": "positive3.json"
   },
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 29,
+    "line": 30,
     "fileName": "positive4.json"
   }
-]
+]

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@`
`27`	`27`	`"Role": "arn:aws:iam::123456789012:role/lambda-role",`
`28`	`28`	`"Environment": {`
`29`	`29`	`"Variables": {`
`30`		`- "foo": "1234567890123456789012345678901234567890$",`
	`30`	`+ "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",`
`31`	`31`	`"databaseName": "lambdadb",`
`32`	`32`	`"databaseUser": "admin"`
`33`	`33`	`}`