Code to deploy a solution to detect secrets/tokens in Lambda functions using AWS Config.

• Description
• Prerequisites
• Dependencies
• Variables
• Usage
  • Preparing the Lambda layers (Bash Script)
  • Deploying the code (Terraforms)
• Security
• License

This Terraform module create a custom rule on AWS Config that detects secrets/tokens in the Lambda functions in the account.

The following diagram applies to the current solution.

Once a secret/token is identified in the environment variables of a Lambda function, they are flagged as NON_COMPLIANT with an annotation showing the type of the detected secret. (Example: JSON Web Token) The AWS Config rule is triggered at any modification of every environment variable in each Lambda functions in the account.

Pay attention: this module is meant to be used as standalone module.

• AWS Config: This module expects that AWS Config is already up and running in the region where the rules will be deployed. The setup can be easily carried out by following the official documentation.

• Docker: In order to properly deploy the resources to your account, Docker needs to be installed on your machine. Please refer to this link.

• rdklib: 0.2.0 Reference;
• detect-secrets: 1.1.0 Reference

The available variables are described in variables.tf file.

In this example we are going to deploy the custom rule that will automatically check all lambda functions for vulnerable environment variables.

The lambda function that will be leveraged to carry out the detection process uses two libraries rdklib and detect-secrets Therefore, you need to first ensure those libraries are available to the function in your account as lambda layers.

Use this command in your terminal to prepare them for Terraforms to deploy them in the following section:

cd scripts
./build.sh

Option 1: You can use the following sample to utilize the module within your code:

module "deploy_lambda_secrets_detector_rule" {
  config_rule_name = "lambda_has_no_secrets"
  source           = "./modules/lambda_has_no_secrets"
  enabled          = true
}

Please have a look inside inside variables.tf for all the possible options.

Option 2: Alternatively, if you have Terraform installed on your workstation, you can deploy the example by executing:

export AWS_PROFILE=$MY_AWS_PROFILE
terraform init
terraform apply

Pay attention: you should first modify the region in your AWS Profile in accordance to your requirements.

See CONTRIBUTING for more information.

This project is licensed under the Apache-2.0 License.