Merge pull request #1042 from m-wynn/fix-ckv_aws_272

Fix CKV_AWS_272 incorrect example
hlxsites · Jan 9, 2025 · 34025d5 · 34025d5
2 parents c63a83b + 7b30753
commit 34025d5
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc b/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc
@@ -36,24 +36,28 @@ This policy ensures that an AWS Lambda function has been properly configured to
 
 To address the issue, you need to enable the code-signing configuration for your AWS Lambda function. Code-signing adds an extra layer of security to your application by ensuring that the deployed code is not tampered with.
 
+Example:
+
 [source,go]
 ----
 resource "aws_lambda_function" "example" {
-  function_name    = "example"
-  filename         = "example.zip"
-  source_code_hash = filebase64sha256("example.zip")
-  handler    = "exports.test"
-  runtime    = "nodejs12.x"
+  function_name = "example"
+  s3_bucket     = aws_signer_signing_job.job.signed_object[0].s3[0].bucket
+  s3_key        = aws_signer_signing_job.this.signed_object[0].s3[0].key
+  handler       = "exports.test"
+  runtime       = "nodejs12.x"
 
 + code_signing_config_arn = aws_lambda_code_signing_config.example.arn
 }
 
 resource "aws_lambda_code_signing_config" "example" {
   allowed_publishers {
-    signing_profile_version_arns = [aws_signer_signing_profile_version.example.arn]
+    signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
   }
 
-  policies = "Warn"
+  policies {
+    untrusted_artifact_on_deployment = "Enforce"
+  }
 }
 ----