aws-secretsmanager: Update secrets rotation lambda to address AWS Inspector finding

[Gum-Christopher-bah]

Describe the feature

Current application lambda triggers inspector vulnerability finding during scans. Using single user rotation tied to a postgres rds cluster. Finding:

"type": "CODE_VULNERABILITY",
  "description": "User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.",
  "title": "CWE-117,93 - Log injection",
  "remediation": {
    "recommendation": {
      "text": "You have a log statement that might use unsanitized input. Depending on the context, this could result in:\n\n1. A log injection attack that breaks log integrity, forges log entries, or bypasses monitors that use the logs. To increase the security of your code, sanitize your inputs before logging them. [Learn more](https://cwe.mitre.org/data/definitions/117.html)\n\n2. A sensitive information leak that exposes users' credentials, private information, or identifying information to an attacker. To preserve privacy in your code, redact sensitive user information before logging it. [Learn more](https://cwe.mitre.org/data/definitions/532.html)\n\nSimilar issue at line numbers 63, 66, 69, 115, 125, 161, 196, 209, 247, and 250."
    }
  },
  "severity": "HIGH",
.....
  "codeVulnerabilityDetails": {
    "filePath": {
      "fileName": "lambda_function.py",
      "filePath": "lambda_function.py",
      "startLine": 59,
      "endLine": 59
    },

Use Case

To pass audits. I understand that this isn't a user facing lambda

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.173.4

Environment details (OS name and version, etc.)

Not relevant

[khushail]

Hi @Gum-Christopher-bah , thanks for reaching out. Looks like this secret rotation lambda update is handled by separate team-

https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#sar-template-postgre-singleuser

You might want to create an internal ticket with the mentioned team(aws-samples) and follow up on the same.

For now, I am closing this issue as CDK Team can't do anything here. Please feel free to reopen/ reach out if you need any further help.

EDIT : You can create an issue here -https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas

Thanks.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.