Description:
CloudFormation outputs contain the results of the template that was created. These outputs may contain secrets, for example, user names, passwords, and tokens. The outputs cannot be encrypted, resulting in any entity with basic read-metadata-only, and access to CloudFormation outputs, having access to these secrets.
Rationale:
Make sure data sent has no personal info or sensitive information sent to or from the CloudFormation outputs. We strongly recommend against including NoEcho
parameters, or any sensitive data, in resource properties that are part of a resource's primary identifier.
Impact:
Not encrypting the secrets in cloud formation may impact the organization.
Default:
CloudFormation doesn't redact or obfuscate any information you include in the Outputs section. We strongly recommend you don't use this section to output-sensitive information, such as passwords or secrets.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Remediation:
Test Plan:
Sign in to AWS console
Go to Cloud formation service at console.aws.amazon.com/cloudformation
Select stack in the left navigation pane
Select the Stack you want an audit
Go to the parameters tab
If the parameters of the
Metadata
attribute are being displayed in the console, then follow the implementation steps
Using AWS CLI:
aws cloudformation describe-stacks --stack-name myteststack
Implementation Steps:
Sign in to AWS console
Go to Cloud formation service at console.aws.amazon.com/cloudformation
Select stack in the left navigation pane
Select the Stack you want an audit
Click on the update tab
Click on Edit template in designer
In that click on view designer
Find the parameter which is sensitive information that is not displayed their you have
NoEcho
attribute if you find that hasfalse
Then change the
NoEcho
attribute totrue
After that click on the tab create stack
Click next
Change the name of the template, click next
Review the stack and click on update stack
Using AWS CLI:
Login to your AWS CLI and configure account
aws cloudformation update-stack --stack-name mystack --template-url https://s3.amazonaws.com/sample/updated.template --parameters ParameterKey=KeyPairName,UsePreviousValue=true ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,UpdatedSampleSubnetID2
Backout Plan:
Follow the implementation steps up to 8steps
change the
NoEcho
attribute tofalse
and continue from 10th steps in the implementation and update the stack
Using AWS CLI:
aws cloudformation update-stack --stack-name mystack --template-url https://s3.amazonaws.com/sample/updated.template --parameters ParameterKey=KeyPairName,UsePreviousValue=false ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,UpdatedSampleSubnetID2
Reference: