From e5e19cc3542803b1c3549136fef3001232aaa090 Mon Sep 17 00:00:00 2001
From: Prathmesh Borle <65400885+cx-prathmesh-borle@users.noreply.github.com>
Date: Sun, 22 Mar 2026 20:41:10 +0530
Subject: [PATCH] fix(query): resolve false positive on Hardcoded AWS Access
 Key In Lambda #7074

---
 .../query.rego                                | 34 ++++++++++++++++---
 .../test/negative3.yaml                       | 15 ++++++++
 .../test/negative4.json                       | 23 +++++++++++++
 .../test/positive1.yaml                       |  2 +-
 .../test/positive2.yaml                       |  2 +-
 .../test/positive3.json                       |  2 +-
 .../test/positive4.json                       |  2 +-
 .../test/positive_expected_result.json        | 14 ++++----
 8 files changed, 79 insertions(+), 15 deletions(-)
 create mode 100644 assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative3.yaml
 create mode 100644 assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative4.json

diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/query.rego b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/query.rego
index 07809271e8b..fa1ec6e166e 100644
--- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/query.rego
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/query.rego
@@ -1,7 +1,32 @@
 package Cx
 
+import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
 
+sensitive_var_pattern := "(?i)(access.?key|secret.?key|aws.?(key|secret|token|credential)|credential|secret.?access)"
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::Lambda::Function"
+	properties := resource.Properties
+
+	envVars := properties.Environment.Variables
+	some var
+	re_match("(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}", envVars[var])
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.Environment.Variables", [key]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain a hardcoded AWS Access Key", [key]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains a hardcoded AWS Access Key", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "Environment", "Variables", var], []),
+	}
+}
+
 CxPolicy[result] {
 	document := input.document[i]
 	resource := document.Resources[key]
@@ -9,9 +34,9 @@ CxPolicy[result] {
 	properties := resource.Properties
 
 	envVars := properties.Environment.Variables
-	regexAccessKey := ["[A-Za-z0-9/+=]{40}", "[A-Z0-9]{20}"]
 	some var
-	re_match(regexAccessKey[_], envVars[var])
+	re_match(sensitive_var_pattern, var)
+	re_match("^[A-Za-z0-9/+=]{40}$", envVars[var])
 
 	result := {
 		"documentId": input.document[i].id,
@@ -19,7 +44,8 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, key),
 		"searchKey": sprintf("Resources.%s.Properties.Environment.Variables", [key]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain access key", [key]),
-		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains access key", [key]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain a hardcoded AWS Secret Key", [key]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains a hardcoded AWS Secret Key", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "Environment", "Variables", var], []),
 	}
 }
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative3.yaml b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative3.yaml
new file mode 100644
index 00000000000..dea0a04a1ed
--- /dev/null
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative3.yaml
@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  LambdaFunctionSafe:
+    Type: AWS::Lambda::Function
+    Properties:
+      Handler: index.handler
+      Role: arn:aws:iam::123456789012:role/lambda-role
+      Environment:
+        Variables:
+          foo: "12345678901234567890"
+          DATA_HASH: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+      Code:
+        S3Bucket: my-bucket
+        S3Key: function.zip
+      Runtime: nodejs18.x
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative4.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative4.json
new file mode 100644
index 00000000000..b7bce7d1b6b
--- /dev/null
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/negative4.json
@@ -0,0 +1,23 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "LambdaFunctionSafe2": {
+      "Type": "AWS::Lambda::Function",
+      "Properties": {
+        "Handler": "index.handler",
+        "Role": "arn:aws:iam::123456789012:role/lambda-role",
+        "Environment": {
+          "Variables": {
+            "foo": "12345678901234567890",
+            "DATA_HASH": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+          }
+        },
+        "Code": {
+          "S3Bucket": "my-bucket",
+          "S3Key": "function.zip"
+        },
+        "Runtime": "nodejs18.x"
+      }
+    }
+  }
+}
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive1.yaml b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive1.yaml
index 23050f93f86..2390efcbd7b 100644
--- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive1.yaml
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive1.yaml
@@ -8,7 +8,7 @@ Resources:
       Role: arn:aws:iam::123456789012:role/lambda-role
       Environment:
         Variables:
-          foo: "1234567890123456789012345678901234567890$"
+          AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE"
           databaseName: lambdadb
           databaseUser: admin
       Code:
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive2.yaml b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive2.yaml
index fef8cc69d73..63a47f2a168 100644
--- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive2.yaml
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive2.yaml
@@ -8,7 +8,7 @@ Resources:
       Role: arn:aws:iam::123456789012:role/lambda-role
       Environment:
         Variables:
-          foo: "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
+          AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive3.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive3.json
index 4cf8fdbd394..0a529818690 100644
--- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive3.json
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive3.json
@@ -27,7 +27,7 @@
         "Role": "arn:aws:iam::123456789012:role/lambda-role",
         "Environment": {
           "Variables": {
-            "foo": "1234567890123456789012345678901234567890$",
+            "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
             "databaseName": "lambdadb",
             "databaseUser": "admin"
           }
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive4.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive4.json
index cb46184c149..6c5c0440abd 100644
--- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive4.json
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive4.json
@@ -27,7 +27,7 @@
         "Role": "arn:aws:iam::123456789012:role/lambda-role",
         "Environment": {
           "Variables": {
-            "foo": "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
+            "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
           }
         }
       }
diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json
index 522d250589f..9732cc2c52c 100644
--- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json
+++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json
@@ -2,25 +2,25 @@
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 10,
+    "line": 11,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 10,
+    "line": 11,
     "fileName": "positive2.yaml"
   },
   {
-    "line": 29,
-    "fileName": "positive3.json",
     "queryName": "Hardcoded AWS Access Key In Lambda",
-    "severity": "HIGH"
+    "severity": "HIGH",
+    "line": 30,
+    "fileName": "positive3.json"
   },
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 29,
+    "line": 30,
     "fileName": "positive4.json"
   }
-]
\ No newline at end of file
+]