Amplify Branch Basic Auth Config Password Exposed
- Query id: dfb56e5d-ee68-446e-b32a-657b62befe69
- Query name: Amplify Branch Basic Auth Config Password Exposed
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
NewAmpApp1:
Type: AWS::Amplify::Branch
Properties:
AppId: String
BranchName: String
BuildSpec: String
Description: String
EnableAutoBuild: false
EnablePerformanceMode: false
EnablePullRequestPreview: false
EnvironmentVariables:
- EnvironmentVariable
PullRequestEnvironmentName: String
Stage: String
BasicAuthConfig:
EnableBasicAuth: true
Password: "@skdsjdk0234!AB"
Username: admin
Positive test num. 2 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
Default: "@skdsjdk0234!AB"
ParentUsername:
Description: 'Username'
Type: String
Default: ""
Resources:
NewAmpApp4:
Type: AWS::Amplify::Branch
Properties:
AppId: String
BranchName: String
BuildSpec: String
Description: String
EnableAutoBuild: false
EnablePerformanceMode: false
EnablePullRequestPreview: false
EnvironmentVariables:
- EnvironmentVariable
PullRequestEnvironmentName: String
Stage: String
BasicAuthConfig:
EnableBasicAuth: true
Password: !Ref ParentPassword
Username: !Ref ParentUsername
Positive test num. 3 - json file
{
"Resources": {
"NewAmpApp1": {
"Type": "AWS::Amplify::Branch",
"Properties": {
"BranchName": "String",
"EnableAutoBuild": false,
"EnvironmentVariables": [
"EnvironmentVariable"
],
"PullRequestEnvironmentName": "String",
"AppId": "String",
"Description": "String",
"EnablePerformanceMode": false,
"EnablePullRequestPreview": false,
"Stage": "String",
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "@skdsjdk0234!AB",
"Username": "admin"
},
"BuildSpec": "String"
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"NewAmpApp4": {
"Properties": {
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "ParentPassword",
"Username": "ParentUsername"
},
"AppId": "String",
"Description": "String",
"EnableAutoBuild": false,
"EnablePerformanceMode": false,
"EnablePullRequestPreview": false,
"EnvironmentVariables": [
"EnvironmentVariable"
],
"Stage": "String",
"BranchName": "String",
"BuildSpec": "String",
"PullRequestEnvironmentName": "String"
},
"Type": "AWS::Amplify::Branch"
}
},
"Parameters": {
"ParentUsername": {
"Description": "Username",
"Type": "String",
"Default": ""
},
"ParentPassword": {
"Description": "Password",
"Type": "String",
"Default": "@skdsjdk0234!AB"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
NewAmpApp:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
BasicAuthConfig :
EnableBasicAuth: true
Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
Username: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}'
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 2 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
ParentUsername:
Description: 'Username'
Type: String
Resources:
NewAmpApp1:
Type: AWS::Amplify::Branch
Properties:
AppId: String
BranchName: String
BuildSpec: String
Description: String
EnableAutoBuild: false
EnablePerformanceMode: false
EnablePullRequestPreview: false
EnvironmentVariables:
- EnvironmentVariable
PullRequestEnvironmentName: String
Stage: String
BasicAuthConfig:
EnableBasicAuth: true
Password: !Ref ParentPassword
Username: !Ref ParentUsername
Negative test num. 3 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
Default: ""
NoEcho: true
ParentUsername:
Description: 'Username'
Type: String
Default: ""
Resources:
NewAmpApp4:
Type: AWS::Amplify::Branch
Properties:
AppId: String
BranchName: String
BuildSpec: String
Description: String
EnableAutoBuild: false
EnablePerformanceMode: false
EnablePullRequestPreview: false
EnvironmentVariables:
- EnvironmentVariable
PullRequestEnvironmentName: String
Stage: String
BasicAuthConfig:
EnableBasicAuth: true
Password: !Ref ParentPassword
Username: !Ref ParentUsername
Negative test num. 4 - json file
{
"Resources": {
"NewAmpApp": {
"Type": "AWS::Amplify::App",
"Properties": {
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String",
"Name": "NewAmpApp",
"OauthToken": "String",
"Repository": "String",
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"Username": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}"
},
"BuildSpec": "String",
"CustomHeaders": "String",
"Description": "String"
}
},
"MyAmpAppSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is my amp app instance secret",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\"
}
}
}
}
}
Negative test num. 5 - json file
{
"Parameters": {
"ParentPassword": {
"Description": "Password",
"Type": "String"
},
"ParentUsername": {
"Description": "Username",
"Type": "String"
}
},
"Resources": {
"NewAmpApp1": {
"Type": "AWS::Amplify::Branch",
"Properties": {
"AppId": "String",
"BranchName": "String",
"EnableAutoBuild": false,
"EnablePerformanceMode": false,
"EnablePullRequestPreview": false,
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "ParentPassword",
"Username": "ParentUsername"
},
"BuildSpec": "String",
"Description": "String",
"EnvironmentVariables": [
"EnvironmentVariable"
],
"PullRequestEnvironmentName": "String",
"Stage": "String"
}
}
}
}
Negative test num. 6 - json file
{
"Resources": {
"NewAmpApp4": {
"Type": "AWS::Amplify::Branch",
"Properties": {
"EnableAutoBuild": false,
"EnablePullRequestPreview": false,
"EnvironmentVariables": [
"EnvironmentVariable"
],
"Stage": "String",
"AppId": "String",
"BranchName": "String",
"BuildSpec": "String",
"Description": "String",
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "ParentPassword",
"Username": "ParentUsername"
},
"EnablePerformanceMode": false,
"PullRequestEnvironmentName": "String"
}
}
},
"Parameters": {
"ParentPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
},
"ParentUsername": {
"Description": "Username",
"Type": "String",
"Default": ""
}
}
}