kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

bug(aws): false positive on Hardcoded AWS Access Key In Lambda, (2564172f-c92b-4261-9acd-464aed511696)

Open pepdekpd opened this issue 10 months ago • 3 comments

Running Kics github action 2.0 on lambda with following environment variables:

apiCredentials = <name of secure ssm parameter>
entity = <name>
logLevel = <loglevel>
progressMarker = <name of ssm parameter>
region = <region>
targetBucket = <bucketname>

Results in:

Hardcoded AWS Access Key In Lambda, Severity: HIGH, Results: 4
Description: Lambda access/secret keys should not be hardcoded
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696

	[1]: aws/cdk.out/di-dp-source-***********-dev.template.json:319

		318:     "Environment": {
		319:      "Variables": {
		320:       "progressMarker": {

Expected Behavior

I do no think this is an issue, the variables (apiCredentials, progressMarker) point to names of systems manager parameter store parameters. The lambda retrieves the credentials values using the names of the parameters, it is not "Hardcoded AWS Access Key In Lambda", so the vulnerability should not be raised in this case.

  • Version: 2.0.0
  • Platform: AWS
  • Subsystem: github actions

pepdekpd avatar Apr 23 '24 07:04 pepdekpd

Hi @pepdekpd ,

Thank you for your inputs! Our internal AppSec team will check it soon. We will keep you updated.

(APPSEC-2557)

gabriel-cx avatar May 14 '24 14:05 gabriel-cx

Hi @pepdekpd ,

It's possible for you to provide more information regarding your problem? Our internal AppSec team was not able to reproduce the problem.

If you can provide us with a mock code sample with no sensitive information and also triggers the same problem as the original code sample, will help us a lot to fully understand the problem and provide you with the best information.

gabriel-cx avatar May 16 '24 16:05 gabriel-cx

@pepdekpd thank you so much! Yes, the template you sent is enough for us to analyze!

Notice that i deleted your comment, so we make sure none of your code is shared online, for security purposes! I already have a copy on my local env, so we can work on it on our side. Hope this is okey for you! I will keep you updated.

gabriel-cx avatar May 17 '24 09:05 gabriel-cx