DMS Endpoint Password Exposed

  • Query id: 5f700072-b7ce-4e84-b3f3-497bf1c24a4d
  • Query name: DMS Endpoint Password Exposed
  • Platform: CloudFormation
  • Severity: High
  • Category: Secret Management
  • URL: Github

Description

DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  DMSEndpoint4:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Positive test num. 2 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: 'asDjskjs73!'
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint5:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Positive test num. 3 - yaml file
Parameters:
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint6:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Positive test num. 4 - json file
{
  "Resources": {
    "DMSEndpoint4": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "MongoDbSettings": "MongoDbSettings",
        "Port": 80,
        "SslMode": "String",
        "Username": "String",
        "KafkaSettings": "KafkaSettings",
        "EndpointIdentifier": "String",
        "NeptuneSettings": "NeptuneSettings",
        "DatabaseName": "String",
        "ExtraConnectionAttributes": "String",
        "ServerName": "String",
        "Tags": [
          "Tag"
        ],
        "EngineName": "String",
        "EndpointType": "String",
        "KinesisSettings": "KinesisSettings",
        "KmsKeyId": "String",
        "Password": "asDjskjs73!!",
        "S3Settings": "S3Settings",
        "CertificateArn": "String"
      }
    }
  }
}
Positive test num. 5 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": "asDjskjs73!"
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    }
  },
  "Resources": {
    "DMSEndpoint5": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "EndpointIdentifier": "String",
        "S3Settings": "S3Settings",
        "ExtraConnectionAttributes": "String",
        "MongoDbSettings": "MongoDbSettings",
        "NeptuneSettings": "NeptuneSettings",
        "Password": "ParentMasterPassword",
        "CertificateArn": "String",
        "EngineName": "String",
        "KinesisSettings": "KinesisSettings",
        "KmsKeyId": "String",
        "ServerName": "String",
        "Username": "String",
        "DatabaseName": "String",
        "EndpointType": "String",
        "KafkaSettings": "KafkaSettings",
        "Port": 80,
        "SslMode": "String",
        "Tags": [
          "Tag"
        ]
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Parameters": {
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    }
  },
  "Resources": {
    "DMSEndpoint6": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "ServerName": "String",
        "EngineName": "String",
        "KinesisSettings": "KinesisSettings",
        "KmsKeyId": "String",
        "Port": 80,
        "S3Settings": "S3Settings",
        "Tags": [
          "Tag"
        ],
        "Username": "String",
        "DatabaseName": "String",
        "EndpointIdentifier": "String",
        "MongoDbSettings": "MongoDbSettings",
        "Password": "asDjskjs73!!",
        "SslMode": "String",
        "CertificateArn": "String",
        "NeptuneSettings": "NeptuneSettings",
        "EndpointType": "String",
        "ExtraConnectionAttributes": "String",
        "KafkaSettings": "KafkaSettings"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint1:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Negative test num. 2 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  DMSEndpoint2:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
Negative test num. 3 - yaml file
Resources:
    DMSEndpoint3:
      Type: AWS::DMS::Endpoint
      Properties:
        CertificateArn: String
        DatabaseName: String
        EndpointIdentifier: String
        EndpointType: String
        EngineName: String
        ExtraConnectionAttributes: String
        KafkaSettings:
          KafkaSettings
        KinesisSettings:
          KinesisSettings
        KmsKeyId: String
        MongoDbSettings:
          MongoDbSettings
        NeptuneSettings:
          NeptuneSettings
        Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
        Port: 80
        S3Settings:
          S3Settings
        ServerName: String
        SslMode: String
        Tags:
          - Tag
        Username: String
    MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'

Negative test num. 4 - json file
{
  "Parameters": {
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    },
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    }
  },
  "Resources": {
    "DMSEndpoint1": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "CertificateArn": "String",
        "EndpointType": "String",
        "EngineName": "String",
        "ExtraConnectionAttributes": "String",
        "EndpointIdentifier": "String",
        "ServerName": "String",
        "Username": "String",
        "KafkaSettings": "KafkaSettings",
        "KmsKeyId": "String",
        "NeptuneSettings": "NeptuneSettings",
        "Password": "ParentMasterPassword",
        "Port": 80,
        "Tags": [
          "Tag"
        ],
        "DatabaseName": "String",
        "KinesisSettings": "KinesisSettings",
        "MongoDbSettings": "MongoDbSettings",
        "S3Settings": "S3Settings",
        "SslMode": "String"
      }
    }
  }
}
Negative test num. 5 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Type": "String",
      "Description": "Password"
    },
    "ParentMasterUsername": {
      "Type": "String",
      "Default": "username",
      "Description": "username"
    }
  },
  "Resources": {
    "DMSEndpoint2": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "KafkaSettings": "KafkaSettings",
        "NeptuneSettings": "NeptuneSettings",
        "ServerName": "String",
        "Tags": [
          "Tag"
        ],
        "Username": "String",
        "EngineName": "String",
        "DatabaseName": "String",
        "EndpointIdentifier": "String",
        "EndpointType": "String",
        "KinesisSettings": "KinesisSettings",
        "KmsKeyId": "String",
        "Password": "ParentMasterPassword",
        "S3Settings": "S3Settings",
        "CertificateArn": "String",
        "MongoDbSettings": "MongoDbSettings",
        "Port": 80,
        "SslMode": "String",
        "ExtraConnectionAttributes": "String"
      }
    }
  }
}
Negative test num. 6 - json file
{
  "Resources": {
    "DMSEndpoint3": {
      "Type": "AWS::DMS::Endpoint",
      "Properties": {
        "SslMode": "String",
        "Username": "String",
        "CertificateArn": "String",
        "ExtraConnectionAttributes": "String",
        "KmsKeyId": "String",
        "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
        "Port": 80,
        "EndpointIdentifier": "String",
        "KafkaSettings": "KafkaSettings",
        "KinesisSettings": "KinesisSettings",
        "NeptuneSettings": "NeptuneSettings",
        "S3Settings": "S3Settings",
        "ServerName": "String",
        "Tags": [
          "Tag"
        ],
        "DatabaseName": "String",
        "EndpointType": "String",
        "EngineName": "String",
        "MongoDbSettings": "MongoDbSettings"
      }
    },
    "MyAmpAppSecretManagerRotater": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "This is my amp app instance secret",
        "GenerateSecretString": {
          "SecretStringTemplate": "{\"username\": \"admin\"}",
          "GenerateStringKey": "password",
          "PasswordLength": 16,
          "ExcludeCharacters": "\"@/\\"
        }
      }
    }
  }
}