Alexa Skill Plaintext Client Secret Exposed

  • Query id: 3c3b7a58-b018-4d07-9444-d9ee7156e111
  • Query name: Alexa Skill Plaintext Client Secret Exposed
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Encryption
  • CWE: 256
  • URL: Github

Description

Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  MySkill:
    Type: "Alexa::ASK::Skill"
    Properties:
      SkillPackage:
        S3Bucket: "my-skill-packages"
        S3Key: "skillpackage.zip"
        S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
        Overrides:
          Manifest:
            apis:
              custom:
                endpoint:
                  uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
      AuthenticationConfiguration:
        ClientId: "amzn1.application-oa2-client.1234"
        ClientSecret: "1234"
        RefreshToken: "Atzr|1234"
      VendorId: "1234"
Positive test num. 2 - json file
{
  "Resources": {
    "MySkill": {
      "Type": "Alexa::ASK::Skill",
      "Properties": {
        "SkillPackage": {
          "S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill",
          "Overrides": {
            "Manifest": {
              "apis": {
                "custom": {
                  "endpoint": {
                    "uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill"
                  }
                }
              }
            }
          },
          "S3Bucket": "my-skill-packages",
          "S3Key": "skillpackage.zip"
        },
        "AuthenticationConfiguration": {
          "ClientId": "amzn1.application-oa2-client.1234",
          "ClientSecret": "1234",
          "RefreshToken": "Atzr|1234"
        },
        "VendorId": "1234"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  MySkill:
    Type: "Alexa::ASK::Skill"
    Properties:
      SkillPackage:
        S3Bucket: "my-skill-packages"
        S3Key: "skillpackage.zip"
        S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
        Overrides:
          Manifest:
            apis:
              custom:
                endpoint:
                  uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
      AuthenticationConfiguration:
        ClientId: "amzn1.application-oa2-client.1234"
        ClientSecret: "{{resolve:secretsmanager:123456}}"
        RefreshToken: "Atzr|1234"
      VendorId: "1234"
  MySkill2:
    Type: "Alexa::ASK::Skill"
    Properties:
      SkillPackage:
        S3Bucket: "my-skill-packages"
        S3Key: "skillpackage.zip"
        S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
        Overrides:
          Manifest:
            apis:
              custom:
                endpoint:
                  uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill
      AuthenticationConfiguration:
        ClientId: "amzn1.application-oa2-client.1234"
        ClientSecret: "{{resolve:ssm-secure:123456}}"
        RefreshToken: "Atzr|1234"
      VendorId: "1234"
      # trigger validation
Negative test num. 2 - json file
{
  "Resources": {
    "MySkill": {
      "Type": "Alexa::ASK::Skill",
      "Properties": {
        "SkillPackage": {
          "S3Bucket": "my-skill-packages",
          "S3Key": "skillpackage.zip",
          "S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill",
          "Overrides": {
            "Manifest": {
              "apis": {
                "custom": {
                  "endpoint": {
                    "uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill"
                  }
                }
              }
            }
          }
        },
        "AuthenticationConfiguration": {
          "ClientId": "amzn1.application-oa2-client.1234",
          "ClientSecret": "{{resolve:secretsmanager:123456}}",
          "RefreshToken": "Atzr|1234"
        },
        "VendorId": "1234"
      }
    },
    "MySkill2": {
      "Type": "Alexa::ASK::Skill",
      "Properties": {
        "SkillPackage": {
          "S3Bucket": "my-skill-packages",
          "S3Key": "skillpackage.zip",
          "S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill",
          "Overrides": {
            "Manifest": {
              "apis": {
                "custom": {
                  "endpoint": {
                    "uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill"
                  }
                }
              }
            }
          }
        },
        "AuthenticationConfiguration": {
          "ClientId": "amzn1.application-oa2-client.1234",
          "ClientSecret": "{{resolve:ssm-secure:123456}}",
          "RefreshToken": "Atzr|1234"
        },
        "VendorId": "1234"
      }
    }
  }
}