Amplify App Basic Auth Config Password Exposed

  • Query id: 71493c8b-3014-404c-9802-078b74496fb7
  • Query name: Amplify App Basic Auth Config Password Exposed
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  NewAmpApp-1:
    Type: AWS::Amplify::App
    Properties:
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: "@skdsjdk0234!AB"
        Username: admin
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
    Default: "@skdsjdk0234!AB"
  ParentUsername:
    Description: 'Username'
    Type: String
    Default: ""
Resources:
  NewAmpApp-4:
    Type: AWS::Amplify::App
    Properties:
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "NewAmpApp-1": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "OauthToken": "String",
        "Repository": "String",
        "BasicAuthConfig": {
          "Username": "admin",
          "EnableBasicAuth": true,
          "Password": "@skdsjdk0234!AB"
        },
        "CustomHeaders": "String",
        "Description": "String",
        "Name": "NewAmpApp",
        "BuildSpec": "String",
        "EnableBranchAutoDeletion": true,
        "IAMServiceRole": "String"
      }
    }
  }
}

Positive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Parameters": {
    "ParentUsername": {
      "Description": "Username",
      "Type": "String",
      "Default": ""
    },
    "ParentPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": "@skdsjdk0234!AB"
    }
  },
  "Resources": {
    "NewAmpApp-4": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "CustomHeaders": "String",
        "EnableBranchAutoDeletion": true,
        "IAMServiceRole": "String",
        "OauthToken": "String",
        "Repository": "String",
        "BuildSpec": "String",
        "Description": "String",
        "Name": "NewAmpApp",
        "BasicAuthConfig": {
          "Password": "ParentPassword",
          "Username": "ParentUsername",
          "EnableBasicAuth": true
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
     NewAmpApp-2:
        Type: AWS::Amplify::App
        Properties:
          BuildSpec: String
          CustomHeaders: String
          Description: String
          EnableBranchAutoDeletion: true
          IAMServiceRole: String
          Name: NewAmpApp
          OauthToken: String
          Repository: String
          BasicAuthConfig :
            EnableBasicAuth: true
            Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
            Username: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}'
     MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'
Negative test num. 2 - yaml file
Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
  ParentUsername:
    Description: 'Username'
    Type: String
Resources:
  NewAmpApp-1:
    Type: AWS::Amplify::App
    Properties:
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername
Negative test num. 3 - yaml file
Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
    Default: ""
  ParentUsername:
    Description: 'Username'
    Type: String
    Default: ""
Resources:
  NewAmpApp-4:
    Type: AWS::Amplify::App
    Properties:
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername

Negative test num. 4 - json file
{
  "Resources": {
    "MyAmpAppSecretManagerRotater": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "GenerateSecretString": {
          "PasswordLength": 16,
          "ExcludeCharacters": "\"@/\\",
          "SecretStringTemplate": "{\"username\": \"admin\"}",
          "GenerateStringKey": "password"
        },
        "Description": "This is my amp app instance secret"
      }
    },
    "NewAmpApp-2": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
          "Username": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}"
        },
        "Description": "String",
        "EnableBranchAutoDeletion": true,
        "IAMServiceRole": "String",
        "Name": "NewAmpApp",
        "BuildSpec": "String",
        "CustomHeaders": "String",
        "OauthToken": "String",
        "Repository": "String"
      }
    }
  }
}
Negative test num. 5 - json file
{
  "Resources": {
    "NewAmpApp-1": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "ParentPassword",
          "Username": "ParentUsername"
        },
        "BuildSpec": "String",
        "Name": "NewAmpApp",
        "OauthToken": "String",
        "Repository": "String",
        "CustomHeaders": "String",
        "Description": "String",
        "EnableBranchAutoDeletion": true,
        "IAMServiceRole": "String"
      }
    }
  },
  "Parameters": {
    "ParentPassword": {
      "Description": "Password",
      "Type": "String"
    },
    "ParentUsername": {
      "Description": "Username",
      "Type": "String"
    }
  }
}
Negative test num. 6 - json file
{
  "Parameters": {
    "ParentPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    },
    "ParentUsername": {
      "Description": "Username",
      "Type": "String",
      "Default": ""
    }
  },
  "Resources": {
    "NewAmpApp-4": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "BuildSpec": "String",
        "Description": "String",
        "EnableBranchAutoDeletion": true,
        "Repository": "String",
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "ParentPassword",
          "Username": "ParentUsername"
        },
        "CustomHeaders": "String",
        "IAMServiceRole": "String",
        "Name": "NewAmpApp",
        "OauthToken": "String"
      }
    }
  }
}