Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(aws): false positive on Hardcoded AWS Access Key In Lambda, (2564172f-c92b-4261-9acd-464aed511696) #7023

Open
pepdekpd opened this issue Apr 23, 2024 · 3 comments
Open

bug(aws): false positive on Hardcoded AWS Access Key In Lambda, (2564172f-c92b-4261-9acd-464aed511696) #7023

pepdekpd opened this issue Apr 23, 2024 · 3 comments
Labels
appsec aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution query New query feature

Comments

@pepdekpd
Copy link

Running Kics github action 2.0 on lambda with following environment variables:

apiCredentials = <name of secure ssm parameter>
entity = <name>
logLevel = <loglevel>
progressMarker = <name of ssm parameter>
region = <region>
targetBucket = <bucketname>

Results in:

Hardcoded AWS Access Key In Lambda, Severity: HIGH, Results: 4
Description: Lambda access/secret keys should not be hardcoded
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696

	[1]: aws/cdk.out/di-dp-source-***********-dev.template.json:319

		318:     "Environment": {
		319:      "Variables": {
		320:       "progressMarker": {

Expected Behavior

I do no think this is an issue, the variables (apiCredentials, progressMarker) point to names of systems manager parameter store parameters. The lambda retrieves the credentials values using the names of the parameters, it is not
"Hardcoded AWS Access Key In Lambda", so the vulnerability should not be raised in this case.

  • Version: 2.0.0
  • Platform: AWS
  • Subsystem: github actions
@pepdekpd pepdekpd added bug Something isn't working community Community contribution labels Apr 23, 2024
@github-actions github-actions bot added query New query feature cloudformation CloudFormation query aws PR related with AWS Cloud labels Apr 23, 2024
@gabriel-cx
Copy link
Collaborator

Hi @pepdekpd ,

Thank you for your inputs!
Our internal AppSec team will check it soon.
We will keep you updated.

(APPSEC-2557)

@gabriel-cx
Copy link
Collaborator

Hi @pepdekpd ,

It's possible for you to provide more information regarding your problem?
Our internal AppSec team was not able to reproduce the problem.

If you can provide us with a mock code sample with no sensitive information and also triggers the same problem as the original code sample, will help us a lot to fully understand the problem and provide you with the best information.

@Checkmarx Checkmarx deleted a comment from pepdekpd May 17, 2024
@gabriel-cx
Copy link
Collaborator

gabriel-cx commented May 17, 2024
edited

@pepdekpd thank you so much!
Yes, the template you sent is enough for us to analyze!

Notice that i deleted your comment, so we make sure none of your code is shared online, for security purposes! I already have a copy on my local env, so we can work on it on our side. Hope this is okey for you! I will keep you updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
appsec aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution query New query feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pepdekpd @gabriel-cx