iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that AWS CloudFormation stack outputs do not contain sensitive data such as passwords, API keys, access tokens, private keys, or other secrets. Since CloudFormation outputs are visible to anyone with permission to view stack details, exposing secrets in outputs can lead to data leakage or unauthorized access to critical systems and services.

Rationale:
CloudFormation stack outputs are often used to share configuration details between stacks or provide information to administrators. If sensitive data is exposed through outputs, it can easily be retrieved by any user or service with read access to the stack, violating the principle of least privilege. Storing secrets securely in services like AWS Secrets Manager or AWS Systems Manager Parameter Store (with KMS encryption) ensures they remain protected and auditable, reducing the risk of accidental exposure and aligning with compliance standards such as CIS, SOC 2, ISO 27001, and NIST 800-53.

Impact:
Positive Impact: Protects sensitive credentials and keys from being exposed in plaintext, ensuring compliance and reducing insider and external threat risks.
Negative Impact: Developers must modify templates to retrieve secrets securely from managed services rather than embedding them directly in stack outputs.

Default Value:
By default, AWS CloudFormation allows any value to be included in stack outputs unless explicitly restricted by the template author.

Pre-Requisite:

• IAM permissions required: cloudformation:DescribeStacks, cloudformation:GetTemplate.

• Defined list of sensitive keywords to scan for (e.g., “password”, “secret”, “token”, “accesskey”, “privatekey”).
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to CloudFormation → Stacks.

3. Select each active stack and go to the Outputs tab.

4. Review all outputs for any plaintext sensitive values, such as credentials, tokens, or API keys.

5. If secrets are found in outputs, the stack is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Identify non-compliant CloudFormation stacks with sensitive information in outputs.

2. Modify the CloudFormation template to remove or replace secret values in the Outputs section. Example:


3. Store sensitive data securely using AWS Secrets Manager or Parameter Store.

4. Update dependent resources or stacks to retrieve the secret securely at runtime instead of reading from outputs.

5. Redeploy the updated stack to apply changes and remove exposed values from the outputs.
   
   

Backout Plan:

1. If a dependent resource fails after removing output-based secrets, temporarily provide necessary access via secure secret references until the integration is corrected.

2. Monitor for any unauthorized access attempts using AWS CloudTrail and AWS Config rules related to CloudFormation stacks.
   
   

References:

• AWS CloudFormation Outputs Documentation

• AWS Secrets Manager Documentation

• AWS Systems Manager Parameter Store

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.9

• AWS Security Best Practices Whitepaper