Directory Service Microsoft AD Password Set to Plaintext or Default Ref
- Query id: 06b9f52a-8cd5-459b-bdc6-21a22521e1be
- Query name: Directory Service Microsoft AD Password Set to Plaintext or Default Ref
- Platform: CloudFormation
- Severity: High
- Category: Secret Management
- URL: Github
Description¶
Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Parameters:
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
NewAmpApp-2:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: true
Edition: String
EnableSso: true
Name: String
Password: 'asDjskjs73!!'
ShortName: String
Positive test num. 2 - yaml file
Resources:
NewAmpApp:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: true
Edition: String
EnableSso: true
Name: String
Password: 'asDjskjs73!!'
ShortName: String
Positive test num. 3 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: 'asDjskjs73!'
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
NewAmpApp-1:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: true
EnableSso: true
Edition: String
Name: String
Password: !Ref ParentMasterPassword
ShortName: String
Positive test num. 4 - json file
{
"Parameters": {
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
}
},
"Resources": {
"NewAmpApp-2": {
"Type": "AWS::DirectoryService::MicrosoftAD",
"Properties": {
"CreateAlias": true,
"Edition": "String",
"EnableSso": true,
"Name": "String",
"Password": "asDjskjs73!!",
"ShortName": "String"
}
}
}
}
Positive test num. 5 - json file
Positive test num. 6 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Type": "String",
"Default": "asDjskjs73!",
"Description": "Password"
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
}
},
"Resources": {
"NewAmpApp-1": {
"Type": "AWS::DirectoryService::MicrosoftAD",
"Properties": {
"Edition": "String",
"Name": "String",
"Password": "ParentMasterPassword",
"ShortName": "String",
"CreateAlias": true,
"EnableSso": true
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: ''
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
NewAmpApp-1:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: true
Edition: String
EnableSso: true
Name: String
Password: !Ref ParentMasterPassword
ShortName: String
Negative test num. 2 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username'
Resources:
NewAmpApp-1:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: true
Edition: String
EnableSso: true
Name: String
Password: !Ref ParentMasterPassword
ShortName: String
Negative test num. 3 - yaml file
Resources:
NewAmpApp-2:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: true
Edition: String
EnableSso: true
Name: String
Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
ShortName: String
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 4 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
}
},
"Resources": {
"NewAmpApp-1": {
"Type": "AWS::DirectoryService::MicrosoftAD",
"Properties": {
"ShortName": "String",
"CreateAlias": true,
"Edition": "String",
"EnableSso": true,
"Name": "String",
"Password": "ParentMasterPassword"
}
}
}
}
Negative test num. 5 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String"
},
"ParentMasterUsername": {
"Type": "String",
"Default": "username",
"Description": "username"
}
},
"Resources": {
"NewAmpApp-1": {
"Type": "AWS::DirectoryService::MicrosoftAD",
"Properties": {
"CreateAlias": true,
"Edition": "String",
"EnableSso": true,
"Name": "String",
"Password": "ParentMasterPassword",
"ShortName": "String"
}
}
}
}
Negative test num. 6 - json file
{
"Resources": {
"NewAmpApp-2": {
"Properties": {
"CreateAlias": true,
"Edition": "String",
"EnableSso": true,
"Name": "String",
"Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"ShortName": "String"
},
"Type": "AWS::DirectoryService::MicrosoftAD"
},
"MyAmpAppSecretManagerRotater": {
"Properties": {
"Description": "This is my amp app instance secret",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\"
}
},
"Type": "AWS::SecretsManager::Secret"
}
}
}