Scanning AWS Lambdas with SAST
Introduction
AWS Lambda is a computing service that runs code without the need for provisioning or managing infrastructure. Lambda manages computing resources, including server and operating system maintenance, capacity provisioning and automatic scaling, code monitoring and logging. Lambda is based on the use of Lambda functions, which can be created in different languages.
Starting with Engine Pack 9.5.1, the SAST engine supports a stand-alone AWS Lambda scan which:
Identifies and maps:
Inputs
Outputs
Vulnerabilities that are specific to Lambda functions (using the new Lambda-related queries)
Natively supports:
Amazon Simple Storage Service (Amazon S3)
Amazon DynamoDB
AWS SDK v2 or v3 for JavaScript (Node.js)
AWS SDK for Python (Boto3)
AWS SDK for Go
Supports the following languages:
JavaScript (from EP 9.5.1)
Python (from EP 9.5.2)
Go (from EP 9.5.3)
Support Overview
When scanning the code, the first step is to identify the usage of AWS Lambda functions (requiring the "aws-sdk" platform) inside the source code. As these functions run in a runtime environment, which is usually event-driven, they can receive data and return data. Therefore, from a security point-of-view SAST identifies the data flows from sources to sinks that might or might not go through a sanitizer.
When interacting with these modules inside Lambda functions, new client objects are created and object instruction commands are passed. Since these services represent data storage interactions, the existing database-related CxQL queries (with data insertion and retrieval APIs) were updated for the supported languages to consider these new cases. In addition to the improved queries, new ones were added to support S3 and DynamoDB, to the new groups listed below.
The SAST support for AWS Serverless Lambdas is based on SAST CxQL queries only. The new set of queries are available under the following new groups:
JavaScript_AWS_Lambda
Python_AWS_Lambda
Go_AWS_Lambda
For a complete list of queries, see here.