DMS Endpoint MongoDB Settings Password Exposed

  • Query id: f988a17f-1139-46a3-8928-f27eafd8b024
  • Query name: DMS Endpoint MongoDB Settings Password Exposed
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
    Default: 'as@3djdkDjskjs73!!'
Resources:
  NewAmpApp4:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: !Ref MasterMongoDBPassword
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Positive test num. 2 - yaml file
Resources:
  NewAmpApp5:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: 'as@3djdkDjskjs73!!'
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Positive test num. 3 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  NewAmpApp6:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: 'asDjskjs73!!'
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Positive test num. 4 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    },
    "MasterMongoDBPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": "as@3djdkDjskjs73!!"
    }
  },
  "Resources": {
    "NewAmpApp4": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "CertificateArn": "String",
        "DatabaseName": "String",
        "EndpointType": "String",
        "ExtraConnectionAttributes": "String",
        "SslMode": "String",
        "EndpointIdentifier": "String",
        "MongoDbSettings": {
          "ServerName": "String",
          "Username": "String",
          "AuthMechanism": "String",
          "AuthType": "String",
          "DatabaseName": "String",
          "DocsToInvestigate": "String",
          "NestingLevel": "String",
          "Password": "MasterMongoDBPassword",
          "AuthSource": "String",
          "ExtractDocId": "String",
          "Port": 80
        },
        "NeptuneSettings": "NeptuneSettings",
        "Password": "ParentMasterPassword",
        "Tags": [
          "Tag"
        ],
        "KafkaSettings": "KafkaSettings",
        "KinesisSettings": "KinesisSettings",
        "KmsKeyId": "String",
        "Port": 80,
        "ServerName": "String",
        "Username": "String",
        "EngineName": "String",
        "S3Settings": "S3Settings"
      }
    }
  }
}
Positive test num. 5 - json file
{
  "Resources": {
    "NewAmpApp5": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "EndpointIdentifier": "String",
        "EngineName": "String",
        "SslMode": "String",
        "Username": "String",
        "ExtraConnectionAttributes": "String",
        "KafkaSettings": "KafkaSettings",
        "KinesisSettings": "KinesisSettings",
        "NeptuneSettings": "NeptuneSettings",
        "S3Settings": "S3Settings",
        "DatabaseName": "String",
        "MongoDbSettings": {
          "AuthMechanism": "String",
          "AuthSource": "String",
          "AuthType": "String",
          "DatabaseName": "String",
          "Port": 80,
          "Username": "String",
          "DocsToInvestigate": "String",
          "ExtractDocId": "String",
          "NestingLevel": "String",
          "Password": "as@3djdkDjskjs73!!",
          "ServerName": "String"
        },
        "Password": "asDjskjs73!!",
        "ServerName": "String",
        "CertificateArn": "String",
        "EndpointType": "String",
        "KmsKeyId": "String",
        "Port": 80,
        "Tags": [
          "Tag"
        ]
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Type": "String",
      "Description": "Password"
    },
    "MasterMongoDBPassword": {
      "Description": "Password",
      "Type": "String"
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username"
    }
  },
  "Resources": {
    "NewAmpApp6": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "ExtraConnectionAttributes": "String",
        "KafkaSettings": "KafkaSettings",
        "NeptuneSettings": "NeptuneSettings",
        "Password": "ParentMasterPassword",
        "EndpointIdentifier": "String",
        "EndpointType": "String",
        "KinesisSettings": "KinesisSettings",
        "S3Settings": "S3Settings",
        "ServerName": "String",
        "DatabaseName": "String",
        "KmsKeyId": "String",
        "MongoDbSettings": {
          "DatabaseName": "String",
          "NestingLevel": "String",
          "AuthSource": "String",
          "AuthType": "String",
          "ExtractDocId": "String",
          "Password": "asDjskjs73!!",
          "Port": 80,
          "ServerName": "String",
          "Username": "String",
          "AuthMechanism": "String",
          "DocsToInvestigate": "String"
        },
        "Port": 80,
        "Username": "String",
        "CertificateArn": "String",
        "SslMode": "String",
        "Tags": [
          "Tag"
        ],
        "EngineName": "String"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
    Default: ''
Resources:
  NewAmpApp1:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: !Ref MasterMongoDBPassword
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Negative test num. 2 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  MasterMongoDBPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  NewAmpApp2:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
          AuthMechanism: String
          AuthSource: String
          AuthType: String
          DatabaseName: String
          DocsToInvestigate: String
          ExtractDocId: String
          NestingLevel: String
          Password: !Ref MasterMongoDBPassword
          Port: 80
          ServerName: String
          Username: String
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Negative test num. 3 - yaml file
Resources:
    NewAmpApp3:
      Type: AWS::DMS::Endpoint
      Properties:
        CertificateArn: String
        DatabaseName: String
        EndpointIdentifier: String
        EndpointType: String
        EngineName: String
        ExtraConnectionAttributes: String
        KafkaSettings:
          KafkaSettings
        KinesisSettings:
          KinesisSettings
        KmsKeyId: String
        MongoDbSettings:
            AuthMechanism: String
            AuthSource: String
            AuthType: String
            DatabaseName: String
            DocsToInvestigate: String
            ExtractDocId: String
            NestingLevel: String
            Password:  !Sub '{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}'
            Port: 80
            ServerName: String
            Username: String
        NeptuneSettings:
          NeptuneSettings
        Password:  !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
        Port: 80
        S3Settings:
          S3Settings
        ServerName: String
        SslMode: String
        Tags:
          - Tag
        Username: String
    MyAmpAppSecretManagerRotater:
      Type: AWS::SecretsManager::Secret
      Properties:
        Description: 'This is my amp app instance secret'
        GenerateSecretString:
          SecretStringTemplate: '{"username": "admin"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'
    MongoDBSecretManagerRotater:
      Type: AWS::SecretsManager::Secret
      Properties:
        Description: 'This is my MongoDBSecretManagerRotater instance secret'
        GenerateSecretString:
          SecretStringTemplate: '{"username": "admin"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'

Negative test num. 4 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    },
    "MasterMongoDBPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    }
  },
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "Username": "String",
        "EndpointIdentifier": "String",
        "EngineName": "String",
        "Tags": [
          "Tag"
        ],
        "Password": "ParentMasterPassword",
        "Port": 80,
        "CertificateArn": "String",
        "DatabaseName": "String",
        "EndpointType": "String",
        "KinesisSettings": "KinesisSettings",
        "KmsKeyId": "String",
        "NeptuneSettings": "NeptuneSettings",
        "S3Settings": "S3Settings",
        "ServerName": "String",
        "SslMode": "String",
        "ExtraConnectionAttributes": "String",
        "KafkaSettings": "KafkaSettings",
        "MongoDbSettings": {
          "AuthMechanism": "String",
          "NestingLevel": "String",
          "Password": "MasterMongoDBPassword",
          "Port": 80,
          "AuthSource": "String",
          "AuthType": "String",
          "DatabaseName": "String",
          "DocsToInvestigate": "String",
          "ExtractDocId": "String",
          "ServerName": "String",
          "Username": "String"
        }
      }
    }
  }
}
Negative test num. 5 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String"
    },
    "MasterMongoDBPassword": {
      "Description": "Password",
      "Type": "String"
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username"
    }
  },
  "Resources": {
    "NewAmpApp2": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "EngineName": "String",
        "KinesisSettings": "KinesisSettings",
        "Password": "ParentMasterPassword",
        "EndpointIdentifier": "String",
        "KafkaSettings": "KafkaSettings",
        "MongoDbSettings": {
          "AuthMechanism": "String",
          "AuthType": "String",
          "DatabaseName": "String",
          "ExtractDocId": "String",
          "Port": 80,
          "ServerName": "String",
          "AuthSource": "String",
          "DocsToInvestigate": "String",
          "NestingLevel": "String",
          "Password": "MasterMongoDBPassword",
          "Username": "String"
        },
        "Port": 80,
        "CertificateArn": "String",
        "Tags": [
          "Tag"
        ],
        "Username": "String",
        "NeptuneSettings": "NeptuneSettings",
        "S3Settings": "S3Settings",
        "ServerName": "String",
        "SslMode": "String",
        "DatabaseName": "String",
        "EndpointType": "String",
        "ExtraConnectionAttributes": "String",
        "KmsKeyId": "String"
      }
    }
  }
}
Negative test num. 6 - json file
{
  "Resources": {
    "MyAmpAppSecretManagerRotater": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "This is my amp app instance secret",
        "GenerateSecretString": {
          "ExcludeCharacters": "\"@/\\",
          "SecretStringTemplate": "{\"username\": \"admin\"}",
          "GenerateStringKey": "password",
          "PasswordLength": 16
        }
      }
    },
    "MongoDBSecretManagerRotater": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "This is my MongoDBSecretManagerRotater instance secret",
        "GenerateSecretString": {
          "GenerateStringKey": "password",
          "PasswordLength": 16,
          "ExcludeCharacters": "\"@/\\",
          "SecretStringTemplate": "{\"username\": \"admin\"}"
        }
      }
    },
    "NewAmpApp3": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "EndpointType": "String",
        "ExtraConnectionAttributes": "String",
        "KmsKeyId": "String",
        "NeptuneSettings": "NeptuneSettings",
        "CertificateArn": "String",
        "S3Settings": "S3Settings",
        "Username": "String",
        "MongoDbSettings": {
          "Username": "String",
          "AuthMechanism": "String",
          "AuthType": "String",
          "DocsToInvestigate": "String",
          "ExtractDocId": "String",
          "NestingLevel": "String",
          "Password": "{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}",
          "Port": 80,
          "ServerName": "String",
          "AuthSource": "String",
          "DatabaseName": "String"
        },
        "EndpointIdentifier": "String",
        "EngineName": "String",
        "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
        "Tags": [
          "Tag"
        ],
        "DatabaseName": "String",
        "KinesisSettings": "KinesisSettings",
        "Port": 80,
        "ServerName": "String",
        "SslMode": "String",
        "KafkaSettings": "KafkaSettings"
      }
    }
  }
}