For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-directory-service-microsoft-ad-password-set-to-plaintext-or-default-ref.md.
A documentation index is available at /llms.txt.
Storing Microsoft AD passwords in plaintext or as a parameter Default in CloudFormation exposes credentials to source control, template archives, and other readers. This can enable unauthorized access to the directory and lateral movement across your environment.
For resources of type AWS::DirectoryService::MicrosoftAD, Properties.Password must not be a literal string or a Ref to a Parameters.<Name> that defines a Default password.
Instead, Password should reference a secure secret (for example, an AWS Secrets Manager secret or an AWS Systems Manager Parameter Store SecureString parameter) or be supplied via a CloudFormation parameter that has no Default and uses NoEcho set to true. This rule flags Password values that are plaintext or that point to a parameter with a Default value matching a password pattern. Remove parameter defaults containing secrets and prefer Secrets Manager references or parameterized input at deployment time.
Resources:NewAmpApp-2:Type:AWS::DirectoryService::MicrosoftADProperties:CreateAlias:trueEdition:StringEnableSso:trueName:StringPassword:!Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'ShortName:StringMyAmpAppSecretManagerRotater:Type:AWS::SecretsManager::SecretProperties:Description:'This is my amp app instance secret'GenerateSecretString:SecretStringTemplate:'{"username": "admin"}'GenerateStringKey:'password'PasswordLength:16ExcludeCharacters:'"@/\'
