--- title: Amplify app OAuth token exposed description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Amplify app OAuth token exposed --- # Amplify app OAuth token exposed {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-amplify-app-oauth-token-exposed` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Secret Management #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html) ### Description{% #description %} Amplify app OAuth tokens must not be embedded directly in templates or supplied as parameters with a `Default` value because plaintext or defaulted tokens can be exposed via source control, template snapshots, or CI/CD logs and would allow unauthorized access to linked source repositories and deployment pipelines. This rule checks resources of type `AWS::Amplify::App` and the `Properties.OauthToken` value. - `OauthToken` must not be a literal token string. - `OauthToken` must not be a `Ref`/value that resolves to a parameter which defines a `Default`. Instead, supply the token via a secrets service (for example, an AWS Secrets Manager or AWS Systems Manager Parameter Store (`SecureString`) dynamic reference) or via a parameter that has no `Default` and is injected at deploy time. This rule flags token-like literal values or parameter references where the referenced `Parameters..Default` is defined and does not consider Secrets Manager/SSM dynamic references as violations. Secure examples (CloudFormation YAML): Using Secrets Manager dynamic reference: ```yaml MyAmplifyApp: Type: AWS::Amplify::App Properties: Name: my-app OauthToken: "{{resolve:secretsmanager:my-secret-id:SecretString:oauth_token}}" ``` Using a Parameter without a Default (supply at deploy time, set NoEcho=true): ```yaml Parameters: GithubTokenParam: Type: String NoEcho: true Resources: MyAmplifyApp: Type: AWS::Amplify::App Properties: Name: my-app OauthToken: !Ref GithubTokenParam ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Resources: NewAmpApp-2: Type: AWS::Amplify::App Properties: BuildSpec: String CustomHeaders: String Description: String EnableBranchAutoDeletion: true IAMServiceRole: String Name: NewAmpApp Repository: String OauthToken: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' MyAmpAppSecretManagerRotater: Type: AWS::SecretsManager::Secret Properties: Description: 'This is my amp app instance secret' GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: 'password' PasswordLength: 16 ExcludeCharacters: '"@/\' ``` ```yaml Parameters: ParentPassword: Description: 'Password' Type: String ParentUsername: Description: 'Username' Type: String Resources: NewAmpApp-1: Type: AWS::Amplify::App Properties: BuildSpec: String CustomHeaders: String Description: String EnableBranchAutoDeletion: true IAMServiceRole: String Name: NewAmpApp Repository: String OauthToken: !Ref ParentPassword ``` ```yaml Parameters: ParentPassword: Description: 'Password' Type: String Default: "" ParentUsername: Description: 'Username' Type: String Default: "" Resources: NewAmpApp-4: Type: AWS::Amplify::App Properties: BuildSpec: String CustomHeaders: String Description: String EnableBranchAutoDeletion: true IAMServiceRole: String Name: NewAmpApp Repository: String OauthToken: !Ref ParentPassword ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Resources: NewAmpApp-1: Type: AWS::Amplify::App Properties: BuildSpec: String CustomHeaders: String Description: String EnableBranchAutoDeletion: true IAMServiceRole: String Name: NewAmpApp Repository: String OauthToken: 'CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA' ``` ```yaml Parameters: ParentPassword: Description: 'Password' Type: String Default: 'CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA' ParentUsername: Description: 'Username' Type: String Default: "" Resources: NewAmpApp-4: Type: AWS::Amplify::App Properties: BuildSpec: String CustomHeaders: String Description: String EnableBranchAutoDeletion: true IAMServiceRole: String Name: NewAmpApp OauthToken: !Ref ParentPassword Repository: String BasicAuthConfig: EnableBasicAuth: true Password: !Ref ParentPassword Username: !Ref ParentUsername ``` ```json { "Resources": { "NewAmpApp-1": { "Type": "AWS::Amplify::App", "Properties": { "Name": "NewAmpApp", "Repository": "String", "OauthToken": "CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA", "BuildSpec": "String", "CustomHeaders": "String", "Description": "String", "EnableBranchAutoDeletion": true, "IAMServiceRole": "String" } } } } ```