DMS Endpoint Password Exposed
- Query id: 5f700072-b7ce-4e84-b3f3-497bf1c24a4d
- Query name: DMS Endpoint Password Exposed
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
DMSEndpoint4:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
MongoDbSettings
NeptuneSettings:
NeptuneSettings
Password: 'asDjskjs73!!'
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Positive test num. 2 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: 'asDjskjs73!'
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
DMSEndpoint5:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
MongoDbSettings
NeptuneSettings:
NeptuneSettings
Password: !Ref ParentMasterPassword
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Positive test num. 3 - yaml file
Parameters:
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
DMSEndpoint6:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
MongoDbSettings
NeptuneSettings:
NeptuneSettings
Password: 'asDjskjs73!!'
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Positive test num. 4 - json file
{
"Resources": {
"DMSEndpoint4": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"MongoDbSettings": "MongoDbSettings",
"Port": 80,
"SslMode": "String",
"Username": "String",
"KafkaSettings": "KafkaSettings",
"EndpointIdentifier": "String",
"NeptuneSettings": "NeptuneSettings",
"DatabaseName": "String",
"ExtraConnectionAttributes": "String",
"ServerName": "String",
"Tags": [
"Tag"
],
"EngineName": "String",
"EndpointType": "String",
"KinesisSettings": "KinesisSettings",
"KmsKeyId": "String",
"Password": "asDjskjs73!!",
"S3Settings": "S3Settings",
"CertificateArn": "String"
}
}
}
}
Positive test num. 5 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": "asDjskjs73!"
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
}
},
"Resources": {
"DMSEndpoint5": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"EndpointIdentifier": "String",
"S3Settings": "S3Settings",
"ExtraConnectionAttributes": "String",
"MongoDbSettings": "MongoDbSettings",
"NeptuneSettings": "NeptuneSettings",
"Password": "ParentMasterPassword",
"CertificateArn": "String",
"EngineName": "String",
"KinesisSettings": "KinesisSettings",
"KmsKeyId": "String",
"ServerName": "String",
"Username": "String",
"DatabaseName": "String",
"EndpointType": "String",
"KafkaSettings": "KafkaSettings",
"Port": 80,
"SslMode": "String",
"Tags": [
"Tag"
]
}
}
}
}
Positive test num. 6 - json file
{
"Parameters": {
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
}
},
"Resources": {
"DMSEndpoint6": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"ServerName": "String",
"EngineName": "String",
"KinesisSettings": "KinesisSettings",
"KmsKeyId": "String",
"Port": 80,
"S3Settings": "S3Settings",
"Tags": [
"Tag"
],
"Username": "String",
"DatabaseName": "String",
"EndpointIdentifier": "String",
"MongoDbSettings": "MongoDbSettings",
"Password": "asDjskjs73!!",
"SslMode": "String",
"CertificateArn": "String",
"NeptuneSettings": "NeptuneSettings",
"EndpointType": "String",
"ExtraConnectionAttributes": "String",
"KafkaSettings": "KafkaSettings"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: ''
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
DMSEndpoint1:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
MongoDbSettings
NeptuneSettings:
NeptuneSettings
Password: !Ref ParentMasterPassword
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Negative test num. 2 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username'
Resources:
DMSEndpoint2:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
MongoDbSettings
NeptuneSettings:
NeptuneSettings
Password: !Ref ParentMasterPassword
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Negative test num. 3 - yaml file
Resources:
DMSEndpoint3:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
MongoDbSettings
NeptuneSettings:
NeptuneSettings
Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 4 - json file
{
"Parameters": {
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
},
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
}
},
"Resources": {
"DMSEndpoint1": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"CertificateArn": "String",
"EndpointType": "String",
"EngineName": "String",
"ExtraConnectionAttributes": "String",
"EndpointIdentifier": "String",
"ServerName": "String",
"Username": "String",
"KafkaSettings": "KafkaSettings",
"KmsKeyId": "String",
"NeptuneSettings": "NeptuneSettings",
"Password": "ParentMasterPassword",
"Port": 80,
"Tags": [
"Tag"
],
"DatabaseName": "String",
"KinesisSettings": "KinesisSettings",
"MongoDbSettings": "MongoDbSettings",
"S3Settings": "S3Settings",
"SslMode": "String"
}
}
}
}
Negative test num. 5 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Type": "String",
"Description": "Password"
},
"ParentMasterUsername": {
"Type": "String",
"Default": "username",
"Description": "username"
}
},
"Resources": {
"DMSEndpoint2": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"KafkaSettings": "KafkaSettings",
"NeptuneSettings": "NeptuneSettings",
"ServerName": "String",
"Tags": [
"Tag"
],
"Username": "String",
"EngineName": "String",
"DatabaseName": "String",
"EndpointIdentifier": "String",
"EndpointType": "String",
"KinesisSettings": "KinesisSettings",
"KmsKeyId": "String",
"Password": "ParentMasterPassword",
"S3Settings": "S3Settings",
"CertificateArn": "String",
"MongoDbSettings": "MongoDbSettings",
"Port": 80,
"SslMode": "String",
"ExtraConnectionAttributes": "String"
}
}
}
}
Negative test num. 6 - json file
{
"Resources": {
"DMSEndpoint3": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"SslMode": "String",
"Username": "String",
"CertificateArn": "String",
"ExtraConnectionAttributes": "String",
"KmsKeyId": "String",
"Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"Port": 80,
"EndpointIdentifier": "String",
"KafkaSettings": "KafkaSettings",
"KinesisSettings": "KinesisSettings",
"NeptuneSettings": "NeptuneSettings",
"S3Settings": "S3Settings",
"ServerName": "String",
"Tags": [
"Tag"
],
"DatabaseName": "String",
"EndpointType": "String",
"EngineName": "String",
"MongoDbSettings": "MongoDbSettings"
}
},
"MyAmpAppSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is my amp app instance secret",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\"
}
}
}
}
}