CloudFormation Specifying Credentials Not Safe
- Query id: 9ecb6b21-18bc-4aa7-bd07-db20f1c746db
- Query name: CloudFormation Specifying Credentials Not Safe
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
Specifying credentials in the template itself is probably not safe to do.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
WebServer:
Type: AWS::EC2::Instance
DependsOn: "BucketPolicy"
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
source:
Fn::Join:
- ""
-
- "http://s3.amazonaws.com/"
- Ref: "BucketName"
- "/index.html"
mode: "000400"
owner: "apache"
group: "apache"
authentication: "S3AccessCreds"
services:
sysvinit:
httpd:
enabled: "true"
ensureRunning: "true"
AWS::CloudFormation::Authentication:
S3AccessCreds:
type: "S3"
accessKeyId:
Ref: "CfnKeys"
secretKey:
Fn::GetAtt:
- "CfnKeys"
- "SecretAccessKey"
WebServer2:
Type: AWS::EC2::Instance
DependsOn: "BucketPolicy"
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
source:
Fn::Join:
- ""
-
- "http://s3.amazonaws.com/"
- Ref: "BucketName"
- "/index.html"
mode: "000400"
owner: "apache"
group: "apache"
authentication: "S3AccessCreds"
services:
sysvinit:
httpd:
enabled: "true"
ensureRunning: "true"
AWS::CloudFormation::Authentication:
BasicAccessCreds:
type: "basic"
username:
Ref: "UserName"
password:
Ref: "Password"
uris:
- "example.com/test"
Properties:
EC2 Resource Properties ...
Positive test num. 2 - json file
{
"Properties": "EC2 Resource Properties ...",
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"WebServer": {
"DependsOn": "BucketPolicy",
"Metadata": {
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"yum": {
"httpd": []
}
},
"files": {
"/var/www/html/index.html": {
"authentication": "S3AccessCreds",
"source": {
"Fn::Join": [
"",
[
"http://s3.amazonaws.com/",
{
"Ref": "BucketName"
},
"/index.html"
]
]
},
"mode": "000400",
"owner": "apache",
"group": "apache"
}
},
"services": {
"sysvinit": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
}
}
}
}
},
"AWS::CloudFormation::Authentication": {
"S3AccessCreds": {
"type": "S3",
"accessKeyId": {
"Ref": "CfnKeys"
},
"secretKey": {
"Fn::GetAtt": [
"CfnKeys",
"SecretAccessKey"
]
}
}
}
},
"Type": "AWS::EC2::Instance"
},
"WebServer2": {
"Type": "AWS::EC2::Instance",
"DependsOn": "BucketPolicy",
"Metadata": {
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"yum": {
"httpd": []
}
},
"files": {
"/var/www/html/index.html": {
"group": "apache",
"authentication": "S3AccessCreds",
"source": {
"Fn::Join": [
"",
[
"http://s3.amazonaws.com/",
{
"Ref": "BucketName"
},
"/index.html"
]
]
},
"mode": "000400",
"owner": "apache"
}
},
"services": {
"sysvinit": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
}
}
}
}
},
"AWS::CloudFormation::Authentication": {
"BasicAccessCreds": {
"uris": [
"example.com/test"
],
"type": "basic",
"username": {
"Ref": "UserName"
},
"password": {
"Ref": "Password"
}
}
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
WebServer:
Type: AWS::EC2::Instance
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
source:
Fn::Join:
- ""
-
- "http://s3.amazonaws.com/"
- Ref: "BucketName"
- "/index.html"
mode: "000400"
owner: "apache"
group: "apache"
authentication: "S3AccessCreds"
services:
sysvinit:
httpd:
enabled: "true"
ensureRunning: "true"
Negative test num. 2 - json file
{
"Resources": {
"WebServer": {
"Type": "AWS::EC2::Instance",
"DependsOn": "BucketPolicy",
"Metadata": {
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"yum": {
"httpd": []
}
},
"files": {
"/var/www/html/index.html": {
"source": {
"Fn::Join": [
"",
[
"http://s3.amazonaws.com/",
{
"Ref": "BucketName"
},
"/index.html"
]
]
},
"mode": "000400",
"owner": "apache",
"group": "apache",
"authentication": "S3AccessCreds"
}
},
"services": {
"sysvinit": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
}
}
}
}
}
}
}
},
"Properties": "EC2 Resource Properties ...",
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}