AWS Lambda encryption settings environmental variable is not set properly
Description
This policy checks the encryption settings for environment variables in AWS Lambda functions. It's essential to use a KMS key for encrypting environment variables to protect sensitive data. If environment variables are provided, a KMS key must be specified. This policy checks whether the `kms_key_arn` is set when environment variables are used in a Lambda function.
Code Example
go
resource "aws_lambda_function" "example" {
...
environment {
variables = {
EXAMPLE_VAR = "example-value"
}
}
kms_key_arn = "arn:aws:kms:us-west-2:123456789012:key/example-key-arn"
}Remediation
Terraform
To fix this issue, ensure that when environment variables are specified in the `aws_lambda_function` resource, the `kms_key_arn` property is also set to a valid KMS key ARN.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0222 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_173 |