From ce6d0a5f22fb9dd72ceaa4c2e99dfbc08767becb Mon Sep 17 00:00:00 2001 From: Roman Volykh Date: Fri, 19 Dec 2025 12:06:09 +0200 Subject: [PATCH] fix: Fix Lambda encryption (encrypted by default) --- .checkov.yaml | 1 + infra/modules/alerting/telegram.tf | 1 - infra/modules/handler/main.tf | 1 - 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.checkov.yaml b/.checkov.yaml index b202d59..029c373 100644 --- a/.checkov.yaml +++ b/.checkov.yaml @@ -9,6 +9,7 @@ skip-check: - CKV_AWS_120 # LOW "Ensure API Gateway caching is enabled" - CKV_AWS_144 # LOW "Ensure that S3 bucket has cross-region replication enabled" - CKV_AWS_158 # LOW "Ensure that CloudWatch Log Group is encrypted by KMS" + - CKV_AWS_173 # LOW "Check encryption settings for Lambda environmental variable" - CKV_AWS_225 # LOW "Ensure API Gateway method setting caching is enabled" - CKV_AWS_272 # HIGH "Ensure AWS Lambda function is configured to validate code-signing" - CKV_AWS_283 # HIGH "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource" diff --git a/infra/modules/alerting/telegram.tf b/infra/modules/alerting/telegram.tf index 91e2721..edbb6a0 100644 --- a/infra/modules/alerting/telegram.tf +++ b/infra/modules/alerting/telegram.tf @@ -7,7 +7,6 @@ resource "aws_lambda_function" "telegram" { runtime = "provided.al2023" timeout = 10 memory_size = 128 - kms_key_arn = "arn:aws:kms:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:alias/aws/lambda" reserved_concurrent_executions = 10 environment { diff --git a/infra/modules/handler/main.tf b/infra/modules/handler/main.tf index 656a557..ea2fbb7 100644 --- a/infra/modules/handler/main.tf +++ b/infra/modules/handler/main.tf @@ -7,7 +7,6 @@ resource "aws_lambda_function" "this" { runtime = "provided.al2023" timeout = var.timeout memory_size = var.memory_size - kms_key_arn = "arn:aws:kms:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:alias/aws/lambda" reserved_concurrent_executions = 10 environment {