Amplify App Basic Auth Config Password Exposed
- Query id: 71493c8b-3014-404c-9802-078b74496fb7
- Query name: Amplify App Basic Auth Config Password Exposed
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
NewAmpApp-1:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
BasicAuthConfig:
EnableBasicAuth: true
Password: "@skdsjdk0234!AB"
Username: admin
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
ParentPassword:
Description: 'Password'
Type: String
Default: "@skdsjdk0234!AB"
ParentUsername:
Description: 'Username'
Type: String
Default: ""
Resources:
NewAmpApp-4:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
BasicAuthConfig:
EnableBasicAuth: true
Password: !Ref ParentPassword
Username: !Ref ParentUsername
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"NewAmpApp-1": {
"Type": "AWS::Amplify::App",
"Properties": {
"OauthToken": "String",
"Repository": "String",
"BasicAuthConfig": {
"Username": "admin",
"EnableBasicAuth": true,
"Password": "@skdsjdk0234!AB"
},
"CustomHeaders": "String",
"Description": "String",
"Name": "NewAmpApp",
"BuildSpec": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String"
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Parameters": {
"ParentUsername": {
"Description": "Username",
"Type": "String",
"Default": ""
},
"ParentPassword": {
"Description": "Password",
"Type": "String",
"Default": "@skdsjdk0234!AB"
}
},
"Resources": {
"NewAmpApp-4": {
"Type": "AWS::Amplify::App",
"Properties": {
"CustomHeaders": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String",
"OauthToken": "String",
"Repository": "String",
"BuildSpec": "String",
"Description": "String",
"Name": "NewAmpApp",
"BasicAuthConfig": {
"Password": "ParentPassword",
"Username": "ParentUsername",
"EnableBasicAuth": true
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
NewAmpApp-2:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
BasicAuthConfig :
EnableBasicAuth: true
Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
Username: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}'
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 2 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
ParentUsername:
Description: 'Username'
Type: String
Resources:
NewAmpApp-1:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
BasicAuthConfig:
EnableBasicAuth: true
Password: !Ref ParentPassword
Username: !Ref ParentUsername
Negative test num. 3 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
Default: ""
ParentUsername:
Description: 'Username'
Type: String
Default: ""
Resources:
NewAmpApp-4:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
BasicAuthConfig:
EnableBasicAuth: true
Password: !Ref ParentPassword
Username: !Ref ParentUsername
Negative test num. 4 - json file
{
"Resources": {
"MyAmpAppSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"GenerateSecretString": {
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\",
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password"
},
"Description": "This is my amp app instance secret"
}
},
"NewAmpApp-2": {
"Type": "AWS::Amplify::App",
"Properties": {
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"Username": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}"
},
"Description": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String",
"Name": "NewAmpApp",
"BuildSpec": "String",
"CustomHeaders": "String",
"OauthToken": "String",
"Repository": "String"
}
}
}
}
Negative test num. 5 - json file
{
"Resources": {
"NewAmpApp-1": {
"Type": "AWS::Amplify::App",
"Properties": {
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "ParentPassword",
"Username": "ParentUsername"
},
"BuildSpec": "String",
"Name": "NewAmpApp",
"OauthToken": "String",
"Repository": "String",
"CustomHeaders": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String"
}
}
},
"Parameters": {
"ParentPassword": {
"Description": "Password",
"Type": "String"
},
"ParentUsername": {
"Description": "Username",
"Type": "String"
}
}
}
Negative test num. 6 - json file
{
"Parameters": {
"ParentPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
},
"ParentUsername": {
"Description": "Username",
"Type": "String",
"Default": ""
}
},
"Resources": {
"NewAmpApp-4": {
"Type": "AWS::Amplify::App",
"Properties": {
"BuildSpec": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"Repository": "String",
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "ParentPassword",
"Username": "ParentUsername"
},
"CustomHeaders": "String",
"IAMServiceRole": "String",
"Name": "NewAmpApp",
"OauthToken": "String"
}
}
}
}