DMS Endpoint MongoDB Settings Password Exposed
- Query id: f988a17f-1139-46a3-8928-f27eafd8b024
- Query name: DMS Endpoint MongoDB Settings Password Exposed
- Platform: CloudFormation
- Severity: High
- Category: Secret Management
- URL: Github
Description¶
DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: ''
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
MasterMongoDBPassword:
Description: 'Password'
Type: String
Default: 'as@3djdkDjskjs73!!'
Resources:
NewAmpApp4:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
AuthMechanism: String
AuthSource: String
AuthType: String
DatabaseName: String
DocsToInvestigate: String
ExtractDocId: String
NestingLevel: String
Password: !Ref MasterMongoDBPassword
Port: 80
ServerName: String
Username: String
NeptuneSettings:
NeptuneSettings
Password: !Ref ParentMasterPassword
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Positive test num. 2 - yaml file
Resources:
NewAmpApp5:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
AuthMechanism: String
AuthSource: String
AuthType: String
DatabaseName: String
DocsToInvestigate: String
ExtractDocId: String
NestingLevel: String
Password: 'as@3djdkDjskjs73!!'
Port: 80
ServerName: String
Username: String
NeptuneSettings:
NeptuneSettings
Password: 'asDjskjs73!!'
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Positive test num. 3 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
MasterMongoDBPassword:
Description: 'Password'
Type: String
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username'
Resources:
NewAmpApp6:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
AuthMechanism: String
AuthSource: String
AuthType: String
DatabaseName: String
DocsToInvestigate: String
ExtractDocId: String
NestingLevel: String
Password: 'asDjskjs73!!'
Port: 80
ServerName: String
Username: String
NeptuneSettings:
NeptuneSettings
Password: !Ref ParentMasterPassword
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Positive test num. 4 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
},
"MasterMongoDBPassword": {
"Description": "Password",
"Type": "String",
"Default": "as@3djdkDjskjs73!!"
}
},
"Resources": {
"NewAmpApp4": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"CertificateArn": "String",
"DatabaseName": "String",
"EndpointType": "String",
"ExtraConnectionAttributes": "String",
"SslMode": "String",
"EndpointIdentifier": "String",
"MongoDbSettings": {
"ServerName": "String",
"Username": "String",
"AuthMechanism": "String",
"AuthType": "String",
"DatabaseName": "String",
"DocsToInvestigate": "String",
"NestingLevel": "String",
"Password": "MasterMongoDBPassword",
"AuthSource": "String",
"ExtractDocId": "String",
"Port": 80
},
"NeptuneSettings": "NeptuneSettings",
"Password": "ParentMasterPassword",
"Tags": [
"Tag"
],
"KafkaSettings": "KafkaSettings",
"KinesisSettings": "KinesisSettings",
"KmsKeyId": "String",
"Port": 80,
"ServerName": "String",
"Username": "String",
"EngineName": "String",
"S3Settings": "S3Settings"
}
}
}
}
Positive test num. 5 - json file
{
"Resources": {
"NewAmpApp5": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"EndpointIdentifier": "String",
"EngineName": "String",
"SslMode": "String",
"Username": "String",
"ExtraConnectionAttributes": "String",
"KafkaSettings": "KafkaSettings",
"KinesisSettings": "KinesisSettings",
"NeptuneSettings": "NeptuneSettings",
"S3Settings": "S3Settings",
"DatabaseName": "String",
"MongoDbSettings": {
"AuthMechanism": "String",
"AuthSource": "String",
"AuthType": "String",
"DatabaseName": "String",
"Port": 80,
"Username": "String",
"DocsToInvestigate": "String",
"ExtractDocId": "String",
"NestingLevel": "String",
"Password": "as@3djdkDjskjs73!!",
"ServerName": "String"
},
"Password": "asDjskjs73!!",
"ServerName": "String",
"CertificateArn": "String",
"EndpointType": "String",
"KmsKeyId": "String",
"Port": 80,
"Tags": [
"Tag"
]
}
}
}
}
Positive test num. 6 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Type": "String",
"Description": "Password"
},
"MasterMongoDBPassword": {
"Description": "Password",
"Type": "String"
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username"
}
},
"Resources": {
"NewAmpApp6": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"ExtraConnectionAttributes": "String",
"KafkaSettings": "KafkaSettings",
"NeptuneSettings": "NeptuneSettings",
"Password": "ParentMasterPassword",
"EndpointIdentifier": "String",
"EndpointType": "String",
"KinesisSettings": "KinesisSettings",
"S3Settings": "S3Settings",
"ServerName": "String",
"DatabaseName": "String",
"KmsKeyId": "String",
"MongoDbSettings": {
"DatabaseName": "String",
"NestingLevel": "String",
"AuthSource": "String",
"AuthType": "String",
"ExtractDocId": "String",
"Password": "asDjskjs73!!",
"Port": 80,
"ServerName": "String",
"Username": "String",
"AuthMechanism": "String",
"DocsToInvestigate": "String"
},
"Port": 80,
"Username": "String",
"CertificateArn": "String",
"SslMode": "String",
"Tags": [
"Tag"
],
"EngineName": "String"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
Default: ''
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username!'
MasterMongoDBPassword:
Description: 'Password'
Type: String
Default: ''
Resources:
NewAmpApp1:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
AuthMechanism: String
AuthSource: String
AuthType: String
DatabaseName: String
DocsToInvestigate: String
ExtractDocId: String
NestingLevel: String
Password: !Ref MasterMongoDBPassword
Port: 80
ServerName: String
Username: String
NeptuneSettings:
NeptuneSettings
Password: !Ref ParentMasterPassword
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Negative test num. 2 - yaml file
Parameters:
ParentMasterPassword:
Description: 'Password'
Type: String
MasterMongoDBPassword:
Description: 'Password'
Type: String
ParentMasterUsername:
Description: 'username'
Type: String
Default: 'username'
Resources:
NewAmpApp2:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
AuthMechanism: String
AuthSource: String
AuthType: String
DatabaseName: String
DocsToInvestigate: String
ExtractDocId: String
NestingLevel: String
Password: !Ref MasterMongoDBPassword
Port: 80
ServerName: String
Username: String
NeptuneSettings:
NeptuneSettings
Password: !Ref ParentMasterPassword
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Negative test num. 3 - yaml file
Resources:
NewAmpApp3:
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KafkaSettings:
KafkaSettings
KinesisSettings:
KinesisSettings
KmsKeyId: String
MongoDbSettings:
AuthMechanism: String
AuthSource: String
AuthType: String
DatabaseName: String
DocsToInvestigate: String
ExtractDocId: String
NestingLevel: String
Password: !Sub '{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}'
Port: 80
ServerName: String
Username: String
NeptuneSettings:
NeptuneSettings
Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
Port: 80
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
MongoDBSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my MongoDBSecretManagerRotater instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 4 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username!"
},
"MasterMongoDBPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
}
},
"Resources": {
"NewAmpApp1": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"Username": "String",
"EndpointIdentifier": "String",
"EngineName": "String",
"Tags": [
"Tag"
],
"Password": "ParentMasterPassword",
"Port": 80,
"CertificateArn": "String",
"DatabaseName": "String",
"EndpointType": "String",
"KinesisSettings": "KinesisSettings",
"KmsKeyId": "String",
"NeptuneSettings": "NeptuneSettings",
"S3Settings": "S3Settings",
"ServerName": "String",
"SslMode": "String",
"ExtraConnectionAttributes": "String",
"KafkaSettings": "KafkaSettings",
"MongoDbSettings": {
"AuthMechanism": "String",
"NestingLevel": "String",
"Password": "MasterMongoDBPassword",
"Port": 80,
"AuthSource": "String",
"AuthType": "String",
"DatabaseName": "String",
"DocsToInvestigate": "String",
"ExtractDocId": "String",
"ServerName": "String",
"Username": "String"
}
}
}
}
}
Negative test num. 5 - json file
{
"Parameters": {
"ParentMasterPassword": {
"Description": "Password",
"Type": "String"
},
"MasterMongoDBPassword": {
"Description": "Password",
"Type": "String"
},
"ParentMasterUsername": {
"Description": "username",
"Type": "String",
"Default": "username"
}
},
"Resources": {
"NewAmpApp2": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"EngineName": "String",
"KinesisSettings": "KinesisSettings",
"Password": "ParentMasterPassword",
"EndpointIdentifier": "String",
"KafkaSettings": "KafkaSettings",
"MongoDbSettings": {
"AuthMechanism": "String",
"AuthType": "String",
"DatabaseName": "String",
"ExtractDocId": "String",
"Port": 80,
"ServerName": "String",
"AuthSource": "String",
"DocsToInvestigate": "String",
"NestingLevel": "String",
"Password": "MasterMongoDBPassword",
"Username": "String"
},
"Port": 80,
"CertificateArn": "String",
"Tags": [
"Tag"
],
"Username": "String",
"NeptuneSettings": "NeptuneSettings",
"S3Settings": "S3Settings",
"ServerName": "String",
"SslMode": "String",
"DatabaseName": "String",
"EndpointType": "String",
"ExtraConnectionAttributes": "String",
"KmsKeyId": "String"
}
}
}
}
Negative test num. 6 - json file
{
"Resources": {
"MyAmpAppSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is my amp app instance secret",
"GenerateSecretString": {
"ExcludeCharacters": "\"@/\\",
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16
}
}
},
"MongoDBSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is my MongoDBSecretManagerRotater instance secret",
"GenerateSecretString": {
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\",
"SecretStringTemplate": "{\"username\": \"admin\"}"
}
}
},
"NewAmpApp3": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"EndpointType": "String",
"ExtraConnectionAttributes": "String",
"KmsKeyId": "String",
"NeptuneSettings": "NeptuneSettings",
"CertificateArn": "String",
"S3Settings": "S3Settings",
"Username": "String",
"MongoDbSettings": {
"Username": "String",
"AuthMechanism": "String",
"AuthType": "String",
"DocsToInvestigate": "String",
"ExtractDocId": "String",
"NestingLevel": "String",
"Password": "{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}",
"Port": 80,
"ServerName": "String",
"AuthSource": "String",
"DatabaseName": "String"
},
"EndpointIdentifier": "String",
"EngineName": "String",
"Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"Tags": [
"Tag"
],
"DatabaseName": "String",
"KinesisSettings": "KinesisSettings",
"Port": 80,
"ServerName": "String",
"SslMode": "String",
"KafkaSettings": "KafkaSettings"
}
}
}
}