Amplify Branch Basic Auth Config Password Exposed

  • Query id: dfb56e5d-ee68-446e-b32a-657b62befe69
  • Query name: Amplify Branch Basic Auth Config Password Exposed
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  NewAmpApp1:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: "@skdsjdk0234!AB"
        Username: admin
Positive test num. 2 - yaml file
Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
    Default: "@skdsjdk0234!AB"
  ParentUsername:
    Description: 'Username'
    Type: String
    Default: ""
Resources:
  NewAmpApp4:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername
Positive test num. 3 - json file
{
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::Amplify::Branch",
      "Properties": {
        "BranchName": "String",
        "EnableAutoBuild": false,
        "EnvironmentVariables": [
          "EnvironmentVariable"
        ],
        "PullRequestEnvironmentName": "String",
        "AppId": "String",
        "Description": "String",
        "EnablePerformanceMode": false,
        "EnablePullRequestPreview": false,
        "Stage": "String",
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "@skdsjdk0234!AB",
          "Username": "admin"
        },
        "BuildSpec": "String"
      }
    }
  }
}

Positive test num. 4 - json file
{
  "Resources": {
    "NewAmpApp4": {
      "Properties": {
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "ParentPassword",
          "Username": "ParentUsername"
        },
        "AppId": "String",
        "Description": "String",
        "EnableAutoBuild": false,
        "EnablePerformanceMode": false,
        "EnablePullRequestPreview": false,
        "EnvironmentVariables": [
          "EnvironmentVariable"
        ],
        "Stage": "String",
        "BranchName": "String",
        "BuildSpec": "String",
        "PullRequestEnvironmentName": "String"
      },
      "Type": "AWS::Amplify::Branch"
    }
  },
  "Parameters": {
    "ParentUsername": {
      "Description": "Username",
      "Type": "String",
      "Default": ""
    },
    "ParentPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": "@skdsjdk0234!AB"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
     NewAmpApp:
        Type: AWS::Amplify::App
        Properties:
          BuildSpec: String
          CustomHeaders: String
          Description: String
          EnableBranchAutoDeletion: true
          IAMServiceRole: String
          Name: NewAmpApp
          OauthToken: String
          Repository: String
          BasicAuthConfig :
            EnableBasicAuth: true
            Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
            Username: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}'
     MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'
Negative test num. 2 - yaml file
Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
  ParentUsername:
    Description: 'Username'
    Type: String
Resources:
  NewAmpApp1:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername
Negative test num. 3 - yaml file
Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
    Default: ""
    NoEcho: true
  ParentUsername:
    Description: 'Username'
    Type: String
    Default: ""
Resources:
  NewAmpApp4:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername

Negative test num. 4 - json file
{
  "Resources": {
    "NewAmpApp": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "EnableBranchAutoDeletion": true,
        "IAMServiceRole": "String",
        "Name": "NewAmpApp",
        "OauthToken": "String",
        "Repository": "String",
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
          "Username": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}"
        },
        "BuildSpec": "String",
        "CustomHeaders": "String",
        "Description": "String"
      }
    },
    "MyAmpAppSecretManagerRotater": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "This is my amp app instance secret",
        "GenerateSecretString": {
          "SecretStringTemplate": "{\"username\": \"admin\"}",
          "GenerateStringKey": "password",
          "PasswordLength": 16,
          "ExcludeCharacters": "\"@/\\"
        }
      }
    }
  }
}
Negative test num. 5 - json file
{
  "Parameters": {
    "ParentPassword": {
      "Description": "Password",
      "Type": "String"
    },
    "ParentUsername": {
      "Description": "Username",
      "Type": "String"
    }
  },
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::Amplify::Branch",
      "Properties": {
        "AppId": "String",
        "BranchName": "String",
        "EnableAutoBuild": false,
        "EnablePerformanceMode": false,
        "EnablePullRequestPreview": false,
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "ParentPassword",
          "Username": "ParentUsername"
        },
        "BuildSpec": "String",
        "Description": "String",
        "EnvironmentVariables": [
          "EnvironmentVariable"
        ],
        "PullRequestEnvironmentName": "String",
        "Stage": "String"
      }
    }
  }
}
Negative test num. 6 - json file
{
  "Resources": {
    "NewAmpApp4": {
      "Type": "AWS::Amplify::Branch",
      "Properties": {
        "EnableAutoBuild": false,
        "EnablePullRequestPreview": false,
        "EnvironmentVariables": [
          "EnvironmentVariable"
        ],
        "Stage": "String",
        "AppId": "String",
        "BranchName": "String",
        "BuildSpec": "String",
        "Description": "String",
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "ParentPassword",
          "Username": "ParentUsername"
        },
        "EnablePerformanceMode": false,
        "PullRequestEnvironmentName": "String"
      }
    }
  },
  "Parameters": {
    "ParentPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    },
    "ParentUsername": {
      "Description": "Username",
      "Type": "String",
      "Default": ""
    }
  }
}