Added env variables to aws lambda information

nccgroup · Jun 5, 2020 · c8c9486 · c8c9486
1 parent eac628c
commit c8c9486
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/ScoutSuite/output/data/html/partials/aws/services.awslambda.regions.id.functions.html b/ScoutSuite/output/data/html/partials/aws/services.awslambda.regions.id.functions.html
@@ -21,6 +21,11 @@ <h4 class="list-group-item-heading">Information</h4>
         {{> accordion_policy name = 'Resource-Based Policy' policy_path = (concat 'awslambda.regions' region 'functions' @key 'access_policy') document = access_policy}}
     </div>
     {{/if}}
+    {{#if env_variables}}
+    <div class="list-group-item">
+        {{> accordion_policy name = 'Environment Variables' policy_path = (concat 'awslambda.regions' region 'functions' @key 'env_variables') document = env_variables}}
+    </div>
+    {{/if}}
 </script>
 
 <script>

diff --git a/ScoutSuite/providers/aws/facade/awslambda.py b/ScoutSuite/providers/aws/facade/awslambda.py
@@ -40,4 +40,13 @@ async def get_role_with_managed_policies(self, role_name):
         except Exception:
             return None
 
+    async def get_env_variables(self, function_name, region):
+        client = AWSFacadeUtils.get_client('lambda', self.session, region)
+        try:
+            function_configuration = client.get_function_configuration(FunctionName=function_name)
+            if "Environment" in function_configuration and "Variables" in function_configuration["Environment"]:
+                return function_configuration["Environment"]["Variables"]
+        except Exception as e:
+            print_exception('Failed to get Lambda function configuration: {}'.format(e))
+        return []
 
diff --git a/ScoutSuite/providers/aws/resources/awslambda/functions.py b/ScoutSuite/providers/aws/resources/awslambda/functions.py
@@ -32,6 +32,7 @@ async def _parse_function(self, raw_function):
 
         await self._add_role_information(function_dict, raw_function.get('Role'))
         await self._add_access_policy_information(function_dict)
+        await self._add_env_variables(function_dict)
 
         return function_dict['name'], function_dict
 
@@ -57,3 +58,14 @@ async def _add_access_policy_information(self, function_dict):
             function_dict['access_policy'] = {'Version': '2012-10-17',
                                               'Id': 'default',
                                               'Statement': []}
+
+    async def _add_env_variables(self, function_dict):
+        env_variables = await self.facade.awslambda.get_env_variables(function_dict['name'], self.region)
+        function_dict["env_variables"] = env_variables
+        # The following properties are for easier rule creation
+        if env_variables:
+            function_dict["env_variable_names"] = list(env_variables.keys())
+            function_dict["env_variable_values"] = list(env_variables.values())
+        else:
+            function_dict["env_variable_names"] = []
+            function_dict["env_variable_values"] = []