Checkmarx · cx-prathmesh-borle · Mar 22, 2026
@@ -1,25 +1,51 @@
 package Cx
 
+import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
 
+sensitive_var_pattern := "(?i)(access.?key|secret.?key|aws.?(key|secret|token|credential)|credential|secret.?access)"
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::Lambda::Function"
+	properties := resource.Properties
+
+	envVars := properties.Environment.Variables
+	some var
+	re_match("(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}", envVars[var])
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.Environment.Variables", [key]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain a hardcoded AWS Access Key", [key]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains a hardcoded AWS Access Key", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "Environment", "Variables", var], []),
+	}
+}
+
 CxPolicy[result] {
 	document := input.document[i]
 	resource := document.Resources[key]
 	resource.Type == "AWS::Lambda::Function"
 	properties := resource.Properties
 
 	envVars := properties.Environment.Variables
-	regexAccessKey := ["[A-Za-z0-9/+=]{40}", "[A-Z0-9]{20}"]
 	some var
-	re_match(regexAccessKey[_], envVars[var])
+	re_match(sensitive_var_pattern, var)
+	re_match("^[A-Za-z0-9/+=]{40}$", envVars[var])
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, key),
 		"searchKey": sprintf("Resources.%s.Properties.Environment.Variables", [key]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain access key", [key]),
-		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains access key", [key]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Environment.Variables shouldn't contain a hardcoded AWS Secret Key", [key]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Environment.Variables contains a hardcoded AWS Secret Key", [key]),
+		"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "Environment", "Variables", var], []),
 	}
 }
@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  LambdaFunctionSafe:
+    Type: AWS::Lambda::Function
+    Properties:
+      Handler: index.handler
+      Role: arn:aws:iam::123456789012:role/lambda-role
+      Environment:
+        Variables:
+          foo: "12345678901234567890"
+          DATA_HASH: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+      Code:
+        S3Bucket: my-bucket
+        S3Key: function.zip
+      Runtime: nodejs18.x
@@ -0,0 +1,23 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "LambdaFunctionSafe2": {
+      "Type": "AWS::Lambda::Function",
+      "Properties": {
+        "Handler": "index.handler",
+        "Role": "arn:aws:iam::123456789012:role/lambda-role",
+        "Environment": {
+          "Variables": {
+            "foo": "12345678901234567890",
+            "DATA_HASH": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+          }
+        },
+        "Code": {
+          "S3Bucket": "my-bucket",
+          "S3Key": "function.zip"
+        },
+        "Runtime": "nodejs18.x"
+      }
+    }
+  }
+}
@@ -8,7 +8,7 @@ Resources:
       Role: arn:aws:iam::123456789012:role/lambda-role
       Environment:
         Variables:
-          foo: "1234567890123456789012345678901234567890$"
+          AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE"
           databaseName: lambdadb
           databaseUser: admin
       Code:

@@ -8,7 +8,7 @@ Resources:
       Role: arn:aws:iam::123456789012:role/lambda-role
       Environment:
         Variables:
-          foo: "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
+          AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip

@@ -27,7 +27,7 @@
         "Role": "arn:aws:iam::123456789012:role/lambda-role",
         "Environment": {
           "Variables": {
-            "foo": "1234567890123456789012345678901234567890$",
+            "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
             "databaseName": "lambdadb",
             "databaseUser": "admin"
           }

@@ -27,7 +27,7 @@
         "Role": "arn:aws:iam::123456789012:role/lambda-role",
         "Environment": {
           "Variables": {
-            "foo": "12345678901234567890123456789012345678901234567890123456789012345678901234567890$"
+            "AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
           }
         }
       }

@@ -2,25 +2,25 @@
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 10,
+    "line": 11,
     "fileName": "positive1.yaml"
   },
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 10,
+    "line": 11,
     "fileName": "positive2.yaml"
   },
   {
-    "line": 29,
-    "fileName": "positive3.json",
     "queryName": "Hardcoded AWS Access Key In Lambda",
-    "severity": "HIGH"
+    "severity": "HIGH",
+    "line": 30,
+    "fileName": "positive3.json"
   },
   {
     "queryName": "Hardcoded AWS Access Key In Lambda",
     "severity": "HIGH",
-    "line": 29,
+    "line": 30,
     "fileName": "positive4.json"
   }
-]
+]