Open mourya-33 opened 1 month ago
The lambda environment variables are not encrypted. This is flagged by checkov as failures
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.TriggerFunctiondbmigrationshandlerhandler8A64572A File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackDbMigrations80B1C3E5.nested.template.json:378-452 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.CognitoParamsSyncHandlersandbox22A17F25 File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackCognito0421C128.nested.template.json:589-648 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.CognitoProvidersandboxframeworkonEventE89AB8F9 File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackCognito0421C128.nested.template.json:734-778 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.TriggerFunctionsavepermshandlerhandlerDA90B406 File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackSavePermsBAF6E160.nested.template.json:378-452 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
run checkov scan on the the cdk.out directory after cdk synth
Once the env variables are encrypted, the checkov scans for the above exceptions should succeed.
No response
Mac
3.10
2.5
Ref ticket where this issue was previously addressed for other lambdas: https://github.com/data-dot-all/dataall/issues/1201
PR - https://github.com/data-dot-all/dataall/pull/1322
mourya-33
commented
1 month ago
Describe the bug
The lambda environment variables are not encrypted. This is flagged by checkov as failures
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.TriggerFunctiondbmigrationshandlerhandler8A64572A File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackDbMigrations80B1C3E5.nested.template.json:378-452 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.CognitoParamsSyncHandlersandbox22A17F25 File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackCognito0421C128.nested.template.json:589-648 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.CognitoProvidersandboxframeworkonEventE89AB8F9 File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackCognito0421C128.nested.template.json:734-778 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: AWS::Lambda::Function.TriggerFunctionsavepermshandlerhandlerDA90B406 File: /assembly-dataall-main-cicd-stack-dataall-sandbox-backend-stage/dataallmaincicdstackdataallsandboxbackendstagebackendstackSavePermsBAF6E160.nested.template.json:378-452 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
How to Reproduce
run checkov scan on the the cdk.out directory after cdk synth
Expected behavior
Once the env variables are encrypted, the checkov scans for the above exceptions should succeed.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.10
AWS data.all version
2.5
Additional context
Ref ticket where this issue was previously addressed for other lambdas: https://github.com/data-dot-all/dataall/issues/1201