add check for env vars and kms, fixes #682 (#827)

tenable · Jun 1, 2021 · 9ff6f2f · 9ff6f2f
1 parent 37cef51
commit 9ff6f2f
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/pkg/policies/opa/rego/aws/aws_lambda_function/lambdaNotEncryptedWithKms.rego b/pkg/policies/opa/rego/aws/aws_lambda_function/lambdaNotEncryptedWithKms.rego
@@ -1,6 +1,11 @@
 package accurics
 
 lambdaNotEncryptedWithKms[lambda.id] {
-  lambda := input.aws_lambda_function[_]
-  not lambda.config.kms_key_arn
+	lambda := input.aws_lambda_function[_]
+
+	object.get(lambda.config, "environment", "undefined") != "undefined"
+	object.get(lambda.config.environment[_], "variables", "undefined") != "undefined"
+	lambda.config.environment[_].variables != {}
+
+	object.get(lambda.config, "kms_key_arn", "undefined") == "undefined"
 }