CloudFormation Specifying Credentials Not Safe

  • Query id: 9ecb6b21-18bc-4aa7-bd07-db20f1c746db
  • Query name: CloudFormation Specifying Credentials Not Safe
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

Specifying credentials in the template itself is probably not safe to do.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  WebServer:
    Type: AWS::EC2::Instance
    DependsOn: "BucketPolicy"
    Metadata:
      AWS::CloudFormation::Init:
        config:
          packages:
            yum:
              httpd: []
          files:
            /var/www/html/index.html:
              source:
                Fn::Join:
                  - ""
                  -
                    - "http://s3.amazonaws.com/"
                    - Ref: "BucketName"
                    - "/index.html"
              mode: "000400"
              owner: "apache"
              group: "apache"
              authentication: "S3AccessCreds"
          services:
            sysvinit:
              httpd:
                enabled: "true"
                ensureRunning: "true"
      AWS::CloudFormation::Authentication:
        S3AccessCreds:
          type: "S3"
          accessKeyId:
            Ref: "CfnKeys"
          secretKey:
            Fn::GetAtt:
              - "CfnKeys"
              - "SecretAccessKey"
  WebServer2:
    Type: AWS::EC2::Instance
    DependsOn: "BucketPolicy"
    Metadata:
      AWS::CloudFormation::Init:
        config:
          packages:
            yum:
              httpd: []
          files:
            /var/www/html/index.html:
              source:
                Fn::Join:
                  - ""
                  -
                    - "http://s3.amazonaws.com/"
                    - Ref: "BucketName"
                    - "/index.html"
              mode: "000400"
              owner: "apache"
              group: "apache"
              authentication: "S3AccessCreds"
          services:
            sysvinit:
              httpd:
                enabled: "true"
                ensureRunning: "true"
      AWS::CloudFormation::Authentication:
        BasicAccessCreds:
          type: "basic"
          username:
            Ref: "UserName"
          password:
            Ref: "Password"
          uris:
            - "example.com/test"
Properties:
  EC2 Resource Properties ...
Positive test num. 2 - json file
{
  "Properties": "EC2 Resource Properties ...",
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "WebServer": {
      "DependsOn": "BucketPolicy",
      "Metadata": {
        "AWS::CloudFormation::Init": {
          "config": {
            "packages": {
              "yum": {
                "httpd": []
              }
            },
            "files": {
              "/var/www/html/index.html": {
                "authentication": "S3AccessCreds",
                "source": {
                  "Fn::Join": [
                    "",
                    [
                      "http://s3.amazonaws.com/",
                      {
                        "Ref": "BucketName"
                      },
                      "/index.html"
                    ]
                  ]
                },
                "mode": "000400",
                "owner": "apache",
                "group": "apache"
              }
            },
            "services": {
              "sysvinit": {
                "httpd": {
                  "enabled": "true",
                  "ensureRunning": "true"
                }
              }
            }
          }
        },
        "AWS::CloudFormation::Authentication": {
          "S3AccessCreds": {
            "type": "S3",
            "accessKeyId": {
              "Ref": "CfnKeys"
            },
            "secretKey": {
              "Fn::GetAtt": [
                "CfnKeys",
                "SecretAccessKey"
              ]
            }
          }
        }
      },
      "Type": "AWS::EC2::Instance"
    },
    "WebServer2": {
      "Type": "AWS::EC2::Instance",
      "DependsOn": "BucketPolicy",
      "Metadata": {
        "AWS::CloudFormation::Init": {
          "config": {
            "packages": {
              "yum": {
                "httpd": []
              }
            },
            "files": {
              "/var/www/html/index.html": {
                "group": "apache",
                "authentication": "S3AccessCreds",
                "source": {
                  "Fn::Join": [
                    "",
                    [
                      "http://s3.amazonaws.com/",
                      {
                        "Ref": "BucketName"
                      },
                      "/index.html"
                    ]
                  ]
                },
                "mode": "000400",
                "owner": "apache"
              }
            },
            "services": {
              "sysvinit": {
                "httpd": {
                  "enabled": "true",
                  "ensureRunning": "true"
                }
              }
            }
          }
        },
        "AWS::CloudFormation::Authentication": {
          "BasicAccessCreds": {
            "uris": [
              "example.com/test"
            ],
            "type": "basic",
            "username": {
              "Ref": "UserName"
            },
            "password": {
              "Ref": "Password"
            }
          }
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  WebServer:
    Type: AWS::EC2::Instance
    Metadata:
      AWS::CloudFormation::Init:
        config:
          packages:
            yum:
              httpd: []
          files:
            /var/www/html/index.html:
              source:
                Fn::Join:
                  - ""
                  -
                    - "http://s3.amazonaws.com/"
                    - Ref: "BucketName"
                    - "/index.html"
              mode: "000400"
              owner: "apache"
              group: "apache"
              authentication: "S3AccessCreds"
          services:
            sysvinit:
              httpd:
                enabled: "true"
                ensureRunning: "true"
Negative test num. 2 - json file
{
  "Resources": {
    "WebServer": {
      "Type": "AWS::EC2::Instance",
      "DependsOn": "BucketPolicy",
      "Metadata": {
        "AWS::CloudFormation::Init": {
          "config": {
            "packages": {
              "yum": {
                "httpd": []
              }
            },
            "files": {
              "/var/www/html/index.html": {
                "source": {
                  "Fn::Join": [
                    "",
                    [
                      "http://s3.amazonaws.com/",
                      {
                        "Ref": "BucketName"
                      },
                      "/index.html"
                    ]
                  ]
                },
                "mode": "000400",
                "owner": "apache",
                "group": "apache",
                "authentication": "S3AccessCreds"
              }
            },
            "services": {
              "sysvinit": {
                "httpd": {
                  "enabled": "true",
                  "ensureRunning": "true"
                }
              }
            }
          }
        }
      }
    }
  },
  "Properties": "EC2 Resource Properties ...",
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}