Alexa Skill Plaintext Client Secret Exposed
- Query id: 3c3b7a58-b018-4d07-9444-d9ee7156e111
- Query name: Alexa Skill Plaintext Client Secret Exposed
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
MySkill:
Type: "Alexa::ASK::Skill"
Properties:
SkillPackage:
S3Bucket: "my-skill-packages"
S3Key: "skillpackage.zip"
S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
Overrides:
Manifest:
apis:
custom:
endpoint:
uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
AuthenticationConfiguration:
ClientId: "amzn1.application-oa2-client.1234"
ClientSecret: "1234"
RefreshToken: "Atzr|1234"
VendorId: "1234"
Positive test num. 2 - json file
{
"Resources": {
"MySkill": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"SkillPackage": {
"S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill",
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill"
}
}
}
}
},
"S3Bucket": "my-skill-packages",
"S3Key": "skillpackage.zip"
},
"AuthenticationConfiguration": {
"ClientId": "amzn1.application-oa2-client.1234",
"ClientSecret": "1234",
"RefreshToken": "Atzr|1234"
},
"VendorId": "1234"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MySkill:
Type: "Alexa::ASK::Skill"
Properties:
SkillPackage:
S3Bucket: "my-skill-packages"
S3Key: "skillpackage.zip"
S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
Overrides:
Manifest:
apis:
custom:
endpoint:
uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
AuthenticationConfiguration:
ClientId: "amzn1.application-oa2-client.1234"
ClientSecret: "{{resolve:secretsmanager:123456}}"
RefreshToken: "Atzr|1234"
VendorId: "1234"
MySkill2:
Type: "Alexa::ASK::Skill"
Properties:
SkillPackage:
S3Bucket: "my-skill-packages"
S3Key: "skillpackage.zip"
S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
Overrides:
Manifest:
apis:
custom:
endpoint:
uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
AuthenticationConfiguration:
ClientId: "amzn1.application-oa2-client.1234"
ClientSecret: "{{resolve:ssm-secure:123456}}"
RefreshToken: "Atzr|1234"
VendorId: "1234"
# trigger validation
Negative test num. 2 - json file
{
"Resources": {
"MySkill": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"SkillPackage": {
"S3Bucket": "my-skill-packages",
"S3Key": "skillpackage.zip",
"S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill",
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill"
}
}
}
}
}
},
"AuthenticationConfiguration": {
"ClientId": "amzn1.application-oa2-client.1234",
"ClientSecret": "{{resolve:secretsmanager:123456}}",
"RefreshToken": "Atzr|1234"
},
"VendorId": "1234"
}
},
"MySkill2": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"SkillPackage": {
"S3Bucket": "my-skill-packages",
"S3Key": "skillpackage.zip",
"S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill",
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill"
}
}
}
}
}
},
"AuthenticationConfiguration": {
"ClientId": "amzn1.application-oa2-client.1234",
"ClientSecret": "{{resolve:ssm-secure:123456}}",
"RefreshToken": "Atzr|1234"
},
"VendorId": "1234"
}
}
}
}