Directory Service Simple AD Password Exposed
- Query id: 6685d912-d81f-4cfa-95ad-e316ea31c989
- Query name: Directory Service Simple AD Password Exposed
- Platform: CloudFormation
- Severity: High
- Category: Secret Management
- CWE: Ongoing
- URL: Github
Description¶
DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: ''
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
NewAmpApp4:
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: true
Description: String
EnableSso: true
Name: String
Password: 'asDjskjs73!!'
ShortName: String
Size: String
Positive test num. 2 - yaml file
Resources:
NewAmpApp5:
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: true
Description: String
EnableSso: true
Name: String
Password: 'asDjskjs73!!'
ShortName: String
Size: String
Positive test num. 3 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: 'asDjskjs73!'
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
NewAmpApp6:
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: true
Description: String
EnableSso: true
Name: String
Password: !Ref ParentMasterPassword
ShortName: String
Size: String
Positive test num. 4 - json file
{
"Parameters": {
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
},
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
}
},
"Resources": {
"NewAmpApp4": {
"Type": "AWS::DirectoryService::SimpleAD",
"Properties": {
"EnableSso": true,
"Name": "String",
"Password": "asDjskjs73!!",
"ShortName": "String",
"Size": "String",
"CreateAlias": true,
"Description": "String"
}
}
}
}
Positive test num. 5 - json file
Positive test num. 6 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": "asDjskjs73!"
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
}
},
"Resources": {
"NewAmpApp6": {
"Type": "AWS::DirectoryService::SimpleAD",
"Properties": {
"Size": "String",
"CreateAlias": true,
"Description": "String",
"EnableSso": true,
"Name": "String",
"Password": "ParentMasterPassword",
"ShortName": "String"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: ''
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
Resources:
NewAmpApp1:
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: true
Description: String
EnableSso: true
Name: String
Password: !Ref ParentMasterPassword
ShortName: String
Size: String
Negative test num. 2 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username'
Resources:
NewAmpApp2:
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: true
Description: String
EnableSso: true
Name: String
Password: !Ref ParentMasterPassword
ShortName: String
Size: String
Negative test num. 3 - yaml file
Resources:
NewAmpApp3:
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: true
Description: String
EnableSso: true
Name: String
Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
ShortName: String
Size: String
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 4 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
}
},
"Resources": {
"NewAmpApp1": {
"Type": "AWS::DirectoryService::SimpleAD",
"Properties": {
"Description": "String",
"EnableSso": true,
"Name": "String",
"Password": "ParentMasterPassword",
"ShortName": "String",
"Size": "String",
"CreateAlias": true
}
}
}
}
Negative test num. 5 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String"
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username"
}
},
"Resources": {
"NewAmpApp2": {
"Type": "AWS::DirectoryService::SimpleAD",
"Properties": {
"Size": "String",
"CreateAlias": true,
"Description": "String",
"EnableSso": true,
"Name": "String",
"Password": "ParentMasterPassword",
"ShortName": "String"
}
}
}
}
Negative test num. 6 - json file
{
"Resources": {
"NewAmpApp3": {
"Type": "AWS::DirectoryService::SimpleAD",
"Properties": {
"Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"ShortName": "String",
"Size": "String",
"CreateAlias": true,
"Description": "String",
"EnableSso": true,
"Name": "String"
}
},
"MyAmpAppSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is my amp app instance secret",
"GenerateSecretString": {
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\",
"SecretStringTemplate": "{\"username\": \"admin\"}"
}
}
}
}
}