Description:

CloudFormation outputs contain the results of the template that was created. These outputs may contain secrets, for example, user names, passwords, and tokens. The outputs cannot be encrypted, resulting in any entity with basic read-metadata-only, and access to CloudFormation outputs, having access to these secrets.

Rationale:

Make sure data sent has no personal info or sensitive information sent to or from the CloudFormation outputs. We strongly recommend against including NoEcho parameters, or any sensitive data, in resource properties that are part of a resource's primary identifier.

Impact:

Not encrypting the secrets in cloud formation may impact the organization.

Default:

CloudFormation doesn't redact or obfuscate any information you include in the Outputs section. We strongly recommend you don't use this section to output-sensitive information, such as passwords or secrets.

Pre-requisites:

  • Sign in as admin or IAM user with required permissions

Remediation:

Test Plan:

  1. Sign in to AWS console

  2. Go to Cloud formation service at console.aws.amazon.com/cloudformation

  3. Select stack in the left navigation pane

  4. Select the Stack you want an audit 

  5. Go to the parameters tab

  6. If the parameters of the Metadata attribute are being displayed in the console, then follow the implementation steps


Using AWS CLI:

aws cloudformation describe-stacks --stack-name myteststack

Implementation Steps:

  1. Sign in to AWS console

  2. Go to Cloud formation service at console.aws.amazon.com/cloudformation

  3. Select stack in the left navigation pane


  4. Select the Stack you want an audit 

  5. Click on the update tab

  6. Click on Edit template in designer 

  7. In that click on view designer  

  8. Find the parameter which is sensitive information that is not displayed their you have NoEcho attribute if you find that has false  

  9. Then change the NoEcho attribute to true  

  10. After that click on the tab create stack 

  11. Click next  

  12. Change the name of the template, click next  

  13. Review the stack and click on update stack

Using AWS CLI:

  1. Login to your AWS CLI and configure account 

aws cloudformation update-stack --stack-name mystack --template-url https://s3.amazonaws.com/sample/updated.template --parameters ParameterKey=KeyPairName,UsePreviousValue=true ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,UpdatedSampleSubnetID2

Backout Plan:

  1. Follow the implementation steps up to 8steps 

  2. change the NoEcho attribute to false and continue from 10th steps in the implementation and update the stack

Using AWS CLI:

aws cloudformation update-stack --stack-name mystack --template-url https://s3.amazonaws.com/sample/updated.template --parameters ParameterKey=KeyPairName,UsePreviousValue=false ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,UpdatedSampleSubnetID2


Reference:

  1. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub.pdf
  2. https://aws.amazon.com/secrets-manager/
  3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html