Directory Service Simple AD Password Exposed

  • Query id: 6685d912-d81f-4cfa-95ad-e316ea31c989
  • Query name: Directory Service Simple AD Password Exposed
  • Platform: CloudFormation
  • Severity: High
  • Category: Secret Management
  • CWE: 256
  • URL: Github

Description

DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  NewAmpApp4:
    Type: AWS::DirectoryService::SimpleAD
    Properties:
        CreateAlias: true
        Description: String
        EnableSso: true
        Name: String
        Password:  'asDjskjs73!!'
        ShortName: String
        Size: String
Positive test num. 2 - yaml file
Resources:
  NewAmpApp5:
    Type: AWS::DirectoryService::SimpleAD
    Properties:
      CreateAlias: true
      Description: String
      EnableSso: true
      Name: String
      Password: 'asDjskjs73!!'
      ShortName: String
      Size: String
Positive test num. 3 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: 'asDjskjs73!'
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  NewAmpApp6:
    Type: AWS::DirectoryService::SimpleAD
    Properties:
      CreateAlias: true
      Description: String
      EnableSso: true
      Name: String
      Password: !Ref ParentMasterPassword
      ShortName: String
      Size: String

Positive test num. 4 - json file
{
  "Parameters": {
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    },
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    }
  },
  "Resources": {
    "NewAmpApp4": {
      "Type": "AWS::DirectoryService::SimpleAD",
      "Properties": {
        "EnableSso": true,
        "Name": "String",
        "Password": "asDjskjs73!!",
        "ShortName": "String",
        "Size": "String",
        "CreateAlias": true,
        "Description": "String"
      }
    }
  }
}
Positive test num. 5 - json file
{
  "Resources": {
    "NewAmpApp5": {
      "Type": "AWS::DirectoryService::SimpleAD",
      "Properties": {
        "ShortName": "String",
        "Size": "String",
        "CreateAlias": true,
        "Description": "String",
        "EnableSso": true,
        "Name": "String",
        "Password": "asDjskjs73!!"
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": "asDjskjs73!"
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    }
  },
  "Resources": {
    "NewAmpApp6": {
      "Type": "AWS::DirectoryService::SimpleAD",
      "Properties": {
        "Size": "String",
        "CreateAlias": true,
        "Description": "String",
        "EnableSso": true,
        "Name": "String",
        "Password": "ParentMasterPassword",
        "ShortName": "String"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  NewAmpApp1:
    Type: AWS::DirectoryService::SimpleAD
    Properties:
        CreateAlias: true
        Description: String
        EnableSso: true
        Name: String
        Password: !Ref ParentMasterPassword
        ShortName: String
        Size: String
Negative test num. 2 - yaml file
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  NewAmpApp2:
    Type: AWS::DirectoryService::SimpleAD
    Properties:
      CreateAlias: true
      Description: String
      EnableSso: true
      Name: String
      Password: !Ref ParentMasterPassword
      ShortName: String
      Size: String
Negative test num. 3 - yaml file
Resources:
  NewAmpApp3:
    Type: AWS::DirectoryService::SimpleAD
    Properties:
        CreateAlias: true
        Description: String
        EnableSso: true
        Name: String
        Password:  !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
        ShortName: String
        Size: String
  MyAmpAppSecretManagerRotater:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: 'This is my amp app instance secret'
      GenerateSecretString:
        SecretStringTemplate: '{"username": "admin"}'
        GenerateStringKey: 'password'
        PasswordLength: 16
        ExcludeCharacters: '"@/\'

Negative test num. 4 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String",
      "Default": ""
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username!"
    }
  },
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::DirectoryService::SimpleAD",
      "Properties": {
        "Description": "String",
        "EnableSso": true,
        "Name": "String",
        "Password": "ParentMasterPassword",
        "ShortName": "String",
        "Size": "String",
        "CreateAlias": true
      }
    }
  }
}
Negative test num. 5 - json file
{
  "Parameters": {
    "ParentMasterPassword": {
      "Description": "Password",
      "Type": "String"
    },
    "ParentMasterUsername": {
      "Description": "username",
      "Type": "String",
      "Default": "username"
    }
  },
  "Resources": {
    "NewAmpApp2": {
      "Type": "AWS::DirectoryService::SimpleAD",
      "Properties": {
        "Size": "String",
        "CreateAlias": true,
        "Description": "String",
        "EnableSso": true,
        "Name": "String",
        "Password": "ParentMasterPassword",
        "ShortName": "String"
      }
    }
  }
}
Negative test num. 6 - json file
{
  "Resources": {
    "NewAmpApp3": {
      "Type": "AWS::DirectoryService::SimpleAD",
      "Properties": {
        "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
        "ShortName": "String",
        "Size": "String",
        "CreateAlias": true,
        "Description": "String",
        "EnableSso": true,
        "Name": "String"
      }
    },
    "MyAmpAppSecretManagerRotater": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "This is my amp app instance secret",
        "GenerateSecretString": {
          "GenerateStringKey": "password",
          "PasswordLength": 16,
          "ExcludeCharacters": "\"@/\\",
          "SecretStringTemplate": "{\"username\": \"admin\"}"
        }
      }
    }
  }
}