For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-amplify-branch-basic-auth-config-password-exposed.md. A documentation index is available at /llms.txt.

Amplify branch basic auth config password exposed

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-amplify-branch-basic-auth-config-password-exposed

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Secret Management

Learn More

Description

Storing an Amplify branch basic auth password in the template or as a parameter Default exposes credentials in source control, template history, and stack artifacts and can allow unauthorized access to your branch.

This rule checks AWS::Amplify::Branch resources where BasicAuthConfig.EnableBasicAuth is set to true.

  • BasicAuthConfig.Password must not be a plain string value.
  • BasicAuthConfig.Password must not be a Ref to a Parameters entry that defines a Default containing the secret.

Instead, store the credential in a secret management service or a secure AWS Systems Manager Parameter Store parameter and reference it from the template. This rule flags Password values that look like plaintext passwords (for example, >=8 characters) or parameter defaults and that are not backed by a Secrets Manager reference. Secure example using a Secrets Manager dynamic reference:

MyBranch:
  Type: AWS::Amplify::Branch
  Properties:
    BasicAuthConfig:
      EnableBasicAuth: true
      Username: basic-user
      Password: "{{resolve:secretsmanager:my-secret-id:SecretString:password}}"

Compliant Code Examples

Resources:
     NewAmpApp:
        Type: AWS::Amplify::App
        Properties:
          BuildSpec: String
          CustomHeaders: String
          Description: String
          EnableBranchAutoDeletion: true
          IAMServiceRole: String
          Name: NewAmpApp
          OauthToken: String
          Repository: String
          BasicAuthConfig :
            EnableBasicAuth: true
            Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
            Username: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}'
     MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'


Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
  ParentUsername:
    Description: 'Username'
    Type: String
Resources:
  NewAmpApp1:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername


Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
    Default: ""
    NoEcho: true
  ParentUsername:
    Description: 'Username'
    Type: String
    Default: ""
Resources:
  NewAmpApp4:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername

Non-Compliant Code Examples

Resources:
  NewAmpApp1:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: "@skdsjdk0234!AB"
        Username: admin

Parameters:
  ParentPassword:
    Description: 'Password'
    Type: String
    Default: "@skdsjdk0234!AB"
  ParentUsername:
    Description: 'Username'
    Type: String
    Default: ""
Resources:
  NewAmpApp4:
    Type: AWS::Amplify::Branch
    Properties:
      AppId: String
      BranchName: String
      BuildSpec: String
      Description: String
      EnableAutoBuild: false
      EnablePerformanceMode: false
      EnablePullRequestPreview: false
      EnvironmentVariables:
        - EnvironmentVariable
      PullRequestEnvironmentName: String
      Stage: String
      BasicAuthConfig:
        EnableBasicAuth: true
        Password: !Ref ParentPassword
        Username: !Ref ParentUsername

{
  "Resources": {
    "NewAmpApp1": {
      "Type": "AWS::Amplify::Branch",
      "Properties": {
        "BranchName": "String",
        "EnableAutoBuild": false,
        "EnvironmentVariables": [
          "EnvironmentVariable"
        ],
        "PullRequestEnvironmentName": "String",
        "AppId": "String",
        "Description": "String",
        "EnablePerformanceMode": false,
        "EnablePullRequestPreview": false,
        "Stage": "String",
        "BasicAuthConfig": {
          "EnableBasicAuth": true,
          "Password": "@skdsjdk0234!AB",
          "Username": "admin"
        },
        "BuildSpec": "String"
      }
    }
  }
}