DocDB Cluster Master Password In Plaintext
- Query id: 39423ce4-9011-46cd-b6b1-009edcd9385d
- Query name: DocDB Cluster Master Password In Plaintext
- Platform: CloudFormation
- Severity: High
- Category: Secret Management
- URL: Github
Description¶
DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
NewAmpApp:
Type: AWS::DocDB::DBCluster
Properties:
BackupRetentionPeriod: 8
DBClusterIdentifier: "sample-cluster"
DBClusterParameterGroupName: "default.docdb3.6"
DBSubnetGroupName: "default"
DeletionProtection: true
KmsKeyId: "your-kms-key-id"
MasterUsername: "your-master-username"
MasterUserPassword: 'asDjskjs73!!'
Port: 27017
PreferredBackupWindow: "07:34-08:04"
PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
SnapshotIdentifier: "sample-cluster-snapshot-id"
StorageEncrypted: true
Positive test num. 2 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: 'asDjskjs73!'
Resources:
NewAmpApp1:
Type: AWS::DocDB::DBCluster
Properties:
BackupRetentionPeriod: 8
DBClusterIdentifier: "sample-cluster"
DBClusterParameterGroupName: "default.docdb3.6"
DBSubnetGroupName: "default"
DeletionProtection: true
KmsKeyId: "your-kms-key-id"
MasterUsername: "your-master-username"
MasterUserPassword: !Ref ParentMasterPassword
Port: 27017
PreferredBackupWindow: "07:34-08:04"
PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
SnapshotIdentifier: "sample-cluster-snapshot-id"
StorageEncrypted: true
Positive test num. 3 - yaml file
Resources:
NewAmpApp03:
Type: AWS::DocDB::DBCluster
Properties:
BackupRetentionPeriod: 8
DBClusterIdentifier: "sample-cluster"
DBClusterParameterGroupName: "default.docdb3.6"
DBSubnetGroupName: "default"
DeletionProtection: true
KmsKeyId: "your-kms-key-id"
MasterUsername: "your-master-username"
MasterUserPassword: 'asDjskjs73!!'
Port: 27017
PreferredBackupWindow: "07:34-08:04"
PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
SnapshotIdentifier: "sample-cluster-snapshot-id"
StorageEncrypted: true
Positive test num. 4 - json file
{
"Resources": {
"NewAmpApp": {
"Type": "AWS::DocDB::DBCluster",
"Properties": {
"PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
"SnapshotIdentifier": "sample-cluster-snapshot-id",
"DBClusterParameterGroupName": "default.docdb3.6",
"DBSubnetGroupName": "default",
"KmsKeyId": "your-kms-key-id",
"MasterUsername": "your-master-username",
"Port": 27017,
"StorageEncrypted": true,
"BackupRetentionPeriod": 8,
"DBClusterIdentifier": "sample-cluster",
"DeletionProtection": true,
"MasterUserPassword": "asDjskjs73!!",
"PreferredBackupWindow": "07:34-08:04"
}
}
}
}
Positive test num. 5 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": "asDjskjs73!"
}
},
"Resources": {
"NewAmpApp1": {
"Type": "AWS::DocDB::DBCluster",
"Properties": {
"KmsKeyId": "your-kms-key-id",
"MasterUsername": "your-master-username",
"PreferredBackupWindow": "07:34-08:04",
"BackupRetentionPeriod": 8,
"DBClusterIdentifier": "sample-cluster",
"DeletionProtection": true,
"MasterUserPassword": "ParentMasterPassword",
"Port": 27017,
"PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
"SnapshotIdentifier": "sample-cluster-snapshot-id",
"StorageEncrypted": true,
"DBClusterParameterGroupName": "default.docdb3.6",
"DBSubnetGroupName": "default"
}
}
}
}
Positive test num. 6 - json file
{
"Resources": {
"NewAmpApp03": {
"Type": "AWS::DocDB::DBCluster",
"Properties": {
"Port": 27017,
"PreferredBackupWindow": "07:34-08:04",
"PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
"DBClusterIdentifier": "sample-cluster",
"DBClusterParameterGroupName": "default.docdb3.6",
"DBSubnetGroupName": "default",
"DeletionProtection": true,
"KmsKeyId": "your-kms-key-id",
"SnapshotIdentifier": "sample-cluster-snapshot-id",
"StorageEncrypted": true,
"BackupRetentionPeriod": 8,
"MasterUsername": "your-master-username",
"MasterUserPassword": "asDjskjs73!!"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: ''
Resources:
NewAmpApp1:
Type: AWS::DocDB::DBCluster
Properties:
BackupRetentionPeriod: 8
DBClusterIdentifier: "sample-cluster"
DBClusterParameterGroupName: "default.docdb3.6"
DBSubnetGroupName: "default"
DeletionProtection: true
KmsKeyId: "your-kms-key-id"
MasterUsername: "your-master-username"
MasterUserPassword: !Ref ParentMasterPassword
Port: 27017
PreferredBackupWindow: "07:34-08:04"
PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
SnapshotIdentifier: "sample-cluster-snapshot-id"
StorageEncrypted: true
Negative test num. 2 - json file
{
"Parameters": {
"ParentAccessToken": {
"Description": "Access Token",
"Type": "String",
"Default": ""
}
},
"Resources": {
"NewAmpApp4": {
"Type": "AWS::Amplify::App",
"Properties": {
"AccessToken": "ParentAccessToken",
"Description": "String",
"Repository": "String",
"OauthToken": "String",
"BuildSpec": "String",
"CustomHeaders": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String",
"Name": "NewAmpApp"
}
}
}
}
Negative test num. 3 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Resources:
NewAmpApp1:
Type: AWS::DocDB::DBCluster
Properties:
BackupRetentionPeriod: 8
DBClusterIdentifier: "sample-cluster"
DBClusterParameterGroupName: "default.docdb3.6"
DBSubnetGroupName: "default"
DeletionProtection: true
KmsKeyId: "your-kms-key-id"
MasterUsername: "your-master-username"
MasterUserPassword: !Ref ParentMasterPassword
Port: 27017
PreferredBackupWindow: "07:34-08:04"
PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
SnapshotIdentifier: "sample-cluster-snapshot-id"
StorageEncrypted: true
Negative test num. 4 - yaml file
Resources:
NewAmpApp2:
Type: AWS::DocDB::DBCluster
Properties:
MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
Port: 27017
PreferredBackupWindow: "07:34-08:04"
PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
SnapshotIdentifier: "sample-cluster-snapshot-id"
StorageEncrypted: true
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username":"admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 5 - yaml file
Parameters:
ParentAccessToken:
Description: 'Access Token'
Type: String
Resources:
NewAmpApp1:
Type: AWS::Amplify::App
Properties:
AccessToken: !Ref ParentAccessToken
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
Negative test num. 6 - yaml file
Parameters:
ParentAccessToken:
Description: 'Access Token'
Type: String
Default: ""
Resources:
NewAmpApp4:
Type: AWS::Amplify::App
Properties:
AccessToken: !Ref ParentAccessToken
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: String
Repository: String
Negative test num. 7 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
}
},
"Resources": {
"NewAmpApp1": {
"Properties": {
"BackupRetentionPeriod": 8,
"DBSubnetGroupName": "default",
"KmsKeyId": "your-kms-key-id",
"MasterUsername": "your-master-username",
"Port": 27017,
"SnapshotIdentifier": "sample-cluster-snapshot-id",
"StorageEncrypted": true,
"DBClusterIdentifier": "sample-cluster",
"DBClusterParameterGroupName": "default.docdb3.6",
"DeletionProtection": true,
"MasterUserPassword": "ParentMasterPassword",
"PreferredBackupWindow": "07:34-08:04",
"PreferredMaintenanceWindow": "sat:04:51-sat:05:21"
},
"Type": "AWS::DocDB::DBCluster"
}
}
}
Negative test num. 8 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String"
}
},
"Resources": {
"NewAmpApp1": {
"Type": "AWS::DocDB::DBCluster",
"Properties": {
"DBClusterIdentifier": "sample-cluster",
"DBSubnetGroupName": "default",
"DeletionProtection": true,
"MasterUserPassword": "ParentMasterPassword",
"Port": 27017,
"PreferredBackupWindow": "07:34-08:04",
"PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
"BackupRetentionPeriod": 8,
"SnapshotIdentifier": "sample-cluster-snapshot-id",
"KmsKeyId": "your-kms-key-id",
"MasterUsername": "your-master-username",
"StorageEncrypted": true,
"DBClusterParameterGroupName": "default.docdb3.6"
}
}
}
}
Negative test num. 9 - json file
{
"Resources": {
"NewAmpApp2": {
"Type": "AWS::DocDB::DBCluster",
"Properties": {
"MasterUserPassword": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"Port": 27017,
"PreferredBackupWindow": "07:34-08:04",
"PreferredMaintenanceWindow": "sat:04:51-sat:05:21",
"SnapshotIdentifier": "sample-cluster-snapshot-id",
"StorageEncrypted": true
}
},
"MyAmpAppSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is my amp app instance secret",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\":\"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\"
}
}
}
}
}
Negative test num. 10 - json file
{
"Parameters": {
"ParentAccessToken": {
"Type": "String",
"Description": "Access Token"
}
},
"Resources": {
"NewAmpApp1": {
"Type": "AWS::Amplify::App",
"Properties": {
"Name": "NewAmpApp",
"OauthToken": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"CustomHeaders": "String",
"IAMServiceRole": "String",
"Repository": "String",
"AccessToken": "ParentAccessToken",
"BuildSpec": "String"
}
}
}
}