For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-amplify-app-access-token-exposed.md. A documentation index is available at /llms.txt.

Amplify app access token exposed

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-amplify-app-access-token-exposed

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Secret Management

Learn More

Description

Storing an Amplify access token in plaintext or as a parameter Default risks accidental disclosure (for example, via source control, template exports, or build logs) and can allow unauthorized access to connected repositories or services.

This rule checks AWS::Amplify::App resources and the Properties.AccessToken value.

  • The access token must not be a literal token string.
  • The access token must not be supplied via a parameter Default containing a token-like value.

Instead, AccessToken should reference a secure secret (for example, an AWS Secrets Manager dynamic reference) or be supplied via a template parameter without a Default and with NoEcho set to true so the token is not embedded in the template.

This rule flags tokens that resemble JWTs or long token strings (for example, >50 characters and dot-separated) when they appear inline or as parameter defaults and when there is no Secrets Manager reference.

Secure example using Secrets Manager dynamic reference:

MySecret:
  Type: AWS::SecretsManager::Secret
  Properties:
    Name: amplify/access-token

MyApp:
  Type: AWS::Amplify::App
  Properties:
    Name: my-app
    AccessToken: '{{resolve:secretsmanager:amplify/access-token:SecretString:accessToken}}'

Secure example using a parameter without a Default:

Parameters:
  AmplifyAccessToken:
    Type: String
    NoEcho: true

MyApp:
  Type: AWS::Amplify::App
  Properties:
    Name: my-app
    AccessToken: !Ref AmplifyAccessToken

Compliant Code Examples

Resources:
     NewAmpApp:
        Type: AWS::Amplify::App
        Properties:
          AccessToken: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
          BuildSpec: String
          CustomHeaders: String
          Description: String
          EnableBranchAutoDeletion: true
          IAMServiceRole: String
          Name: NewAmpApp
          OauthToken: String
          Repository: String
     MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'

Parameters:
  ParentAccessToken:
    Description: 'Access Token'
    Type: String
Resources:
  NewAmp:
    Type: AWS::Amplify::App
    Properties:
      AccessToken: !Ref ParentAccessToken
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String

Parameters:
  ParentAccessToken:
    Description: 'Access Token'
    Type: String
    Default: ""
Resources:
  AmpApp:
    Type: AWS::Amplify::App
    Properties:
      AccessToken: !Ref ParentAccessToken
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String

Non-Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Resources:
  NewAmpApp:
    Type: AWS::Amplify::App
    Properties:
      AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: True
      IAMServiceRole: String
      Name: String
      OauthToken: String
      Repository: String

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  ParentAccessToken:
    Description: 'Access Token'
    Type: String
    Default: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ'
Resources:
  AmpApp:
    Type: AWS::Amplify::App
    Properties:
      AccessToken: !Ref ParentAccessToken
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  ParentUserToken:
    Description: 'UserToken'
    Type: String
Resources:
  NewApp:
    Type: AWS::Amplify::App
    Properties:
      AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ
      BuildSpec: String
      CustomHeaders: String
      Description: String
      EnableBranchAutoDeletion: true
      IAMServiceRole: String
      Name: NewAmpApp
      OauthToken: String
      Repository: String