DocDB Cluster Master Password In Plaintext

  • Query id: 39423ce4-9011-46cd-b6b1-009edcd9385d
  • Query name: DocDB Cluster Master Password In Plaintext
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  NewAmpApp:
    Type:  AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: 'asDjskjs73!!'
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true
Positive test num. 2 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: 'asDjskjs73!'
Resources:
  NewAmpApp1:
    Type: AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: !Ref ParentMasterPassword
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true
Positive test num. 3 - yaml file
Resources:
  NewAmpApp03:
    Type:  AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: 'asDjskjs73!!'
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true

Positive test num. 4 - json file
{
  "Resources": {
    "NewAmpApp": {
      "Type": "AWS::DocDB::DBCluster",
      "Properties": {
        "PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
        "SnapshotIdentifier": "sample-cluster-snapshot-id",
        "DBClusterParameterGroupName": "default.docdb3.6",
        "DBSubnetGroupName": "default",
        "KmsKeyId": "your-kms-key-id",
        "MasterUsername": "your-master-username",
        "Port": 27017,
        "StorageEncrypted": true,
        "BackupRetentionPeriod": 8,
        "DBClusterIdentifier": "sample-cluster",
        "DeletionProtection": true,
        "MasterUserPassword": "asDjskjs73!!",
        "PreferredBackupWindow": "07:34-08:04"
      }
    }
  }
}
Positive test num. 5 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": "asDjskjs73!"
    }
  },
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::DocDB::DBCluster",
      "Properties": {
        "KmsKeyId": "your-kms-key-id",
        "MasterUsername": "your-master-username",
        "PreferredBackupWindow": "07:34-08:04",
        "BackupRetentionPeriod": 8,
        "DBClusterIdentifier": "sample-cluster",
        "DeletionProtection": true,
        "MasterUserPassword": "ParentMasterPassword",
        "Port": 27017,
        "PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
        "SnapshotIdentifier": "sample-cluster-snapshot-id",
        "StorageEncrypted": true,
        "DBClusterParameterGroupName": "default.docdb3.6",
        "DBSubnetGroupName": "default"
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Resources": {
    "NewAmpApp03": {
      "Type": "AWS::DocDB::DBCluster",
      "Properties": {
        "Port": 27017,
        "PreferredBackupWindow": "07:34-08:04",
        "PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
        "DBClusterIdentifier": "sample-cluster",
        "DBClusterParameterGroupName": "default.docdb3.6",
        "DBSubnetGroupName": "default",
        "DeletionProtection": true,
        "KmsKeyId": "your-kms-key-id",
        "SnapshotIdentifier": "sample-cluster-snapshot-id",
        "StorageEncrypted": true,
        "BackupRetentionPeriod": 8,
        "MasterUsername": "your-master-username",
        "MasterUserPassword": "asDjskjs73!!"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
Resources:
  NewAmpApp1:
    Type: AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: !Ref ParentMasterPassword
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true
Negative test num. 2 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
Resources:
  NewAmpApp1:
    Type: AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: !Ref ParentMasterPassword
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true
Negative test num. 3 - yaml file
Resources:
     NewAmpApp2:
        Type: AWS::DocDB::DBCluster
        Properties:
          MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
          Port: 27017
          PreferredBackupWindow: "07:34-08:04"
          PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
          SnapshotIdentifier: "sample-cluster-snapshot-id"
          StorageEncrypted: true
     MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username":"admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'

Negative test num. 4 - yaml file
Parameters:
  ParentAccessToken:
    Description: 'Access Token'
    Type: String
Resources:
  NewAmpApp1:
    Type: AWS::Amplify::App
    Properties:
      AccessToken: !Ref ParentAccessToken
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String
Negative test num. 5 - yaml file
Parameters:
  ParentAccessToken:
    Description: 'Access Token'
    Type: String
    Default: ""
Resources:
  NewAmpApp4:
    Type: AWS::Amplify::App
    Properties:
      AccessToken: !Ref ParentAccessToken
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String
Negative test num. 6 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    }
  },
  "Resources": {
    "NewAmpApp1": {
      "Properties": {
        "BackupRetentionPeriod": 8,
        "DBSubnetGroupName": "default",
        "KmsKeyId": "your-kms-key-id",
        "MasterUsername": "your-master-username",
        "Port": 27017,
        "SnapshotIdentifier": "sample-cluster-snapshot-id",
        "StorageEncrypted": true,
        "DBClusterIdentifier": "sample-cluster",
        "DBClusterParameterGroupName": "default.docdb3.6",
        "DeletionProtection": true,
        "MasterUserPassword": "ParentMasterPassword",
        "PreferredBackupWindow": "07:34-08:04",
        "PreferredMaintenanceWindow": "sat:04:51-sat:05:21"
      },
      "Type": "AWS::DocDB::DBCluster"
    }
  }
}
Negative test num. 7 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String"
    }
  },
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::DocDB::DBCluster",
      "Properties": {
        "DBClusterIdentifier": "sample-cluster",
        "DBSubnetGroupName": "default",
        "DeletionProtection": true,
        "MasterUserPassword": "ParentMasterPassword",
        "Port": 27017,
        "PreferredBackupWindow": "07:34-08:04",
        "PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
        "BackupRetentionPeriod": 8,
        "SnapshotIdentifier": "sample-cluster-snapshot-id",
        "KmsKeyId": "your-kms-key-id",
        "MasterUsername": "your-master-username",
        "StorageEncrypted": true,
        "DBClusterParameterGroupName": "default.docdb3.6"
      }
    }
  }
}
Negative test num. 8 - json file
{
  "Resources": {
    "NewAmpApp2": {
      "Type": "AWS::DocDB::DBCluster",
      "Properties": {
        "MasterUserPassword": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
        "Port": 27017,
        "PreferredBackupWindow": "07:34-08:04",
        "PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
        "SnapshotIdentifier": "sample-cluster-snapshot-id",
        "StorageEncrypted": true
      }
    },
    "MyAmpAppSecretManagerRotater": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "This is my amp app instance secret",
        "GenerateSecretString": {
          "SecretStringTemplate": "{\"username\":\"admin\"}",
          "GenerateStringKey": "password",
          "PasswordLength": 16,
          "ExcludeCharacters": "\"@/\\"
        }
      }
    }
  }
}
Negative test num. 9 - json file
{
  "Parameters": {
    "ParentAccessToken": {
      "Type": "String",
      "Description": "Access Token"
    }
  },
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "Name": "NewAmpApp",
        "OauthToken": "String",
        "Description": "String",
        "EnableBranchAutoDeletion": true,
        "CustomHeaders": "String",
        "IAMServiceRole": "String",
        "Repository": "String",
        "AccessToken": "ParentAccessToken",
        "BuildSpec": "String"
      }
    }
  }
}
Negative test num. 10 - json file
{
  "Parameters": {
    "ParentAccessToken": {
      "Description": "Access Token",
      "Type": "String",
      "Default": ""
    }
  },
  "Resources": {
    "NewAmpApp4": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "AccessToken": "ParentAccessToken",
        "Description": "String",
        "Repository": "String",
        "OauthToken": "String",
        "BuildSpec": "String",
        "CustomHeaders": "String",
        "EnableBranchAutoDeletion": true,
        "IAMServiceRole": "String",
        "Name": "NewAmpApp"
      }
    }
  }
}