AWS Lambda function is not configured for a DLQ
Description
Setting up a DLQ offers the possibility to investigate errors or failed requests to the connected Lambda function. As an alternative it is possible to configure an on-failure destination target, which forwards a failed event to a DLQ, SNS Topic, Lambda function or EventBridge. It is always important to understand why your application/function failed and to ensure that no data was dropped or compromised. Lambda functions are often used to process security related data like CloudTrail events and a failed delivery to a dependent system can result in an unnoticed security breach.
Code Example
text
resource "aws_lambda_function" "test_lambda" {
...
+ dead_letter_config {
+ target_arn = "test"
+ }
}Remediation
Terraform
- Resource: aws_lambda_function
- Arguments: dead_letter_config
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0169 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_116 |