---
title: Directory service Microsoft AD password set to plaintext or default ref
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Directory service Microsoft AD password set to
  plaintext or default ref
---

# Directory service Microsoft AD password set to plaintext or default ref

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-directory-service-microsoft-ad-password-set-to-plaintext-or-default-ref` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** High

**Category:** Secret Management

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-microsoftad.html)

### Description{% #description %}

Storing Microsoft AD passwords in plaintext or as a parameter `Default` in CloudFormation exposes credentials to source control, template archives, and other readers. This can enable unauthorized access to the directory and lateral movement across your environment.

For resources of type `AWS::DirectoryService::MicrosoftAD`, `Properties.Password` must not be a literal string or a `Ref` to a `Parameters.<Name>` that defines a `Default` password.

Instead, `Password` should reference a secure secret (for example, an AWS Secrets Manager secret or an AWS Systems Manager Parameter Store `SecureString` parameter) or be supplied via a CloudFormation parameter that has no `Default` and uses `NoEcho` set to `true`. This rule flags `Password` values that are plaintext or that point to a parameter with a `Default` value matching a password pattern. Remove parameter defaults containing secrets and prefer Secrets Manager references or parameterized input at deployment time.

Secure examples:

```yaml
MyDirectory:
  Type: AWS::DirectoryService::MicrosoftAD
  Properties:
    Name: corp.example.com
    Password: '{{resolve:secretsmanager:my-secret-id:SecretString:password}}'
    VpcSettings:
      VpcId: vpc-123456
      SubnetIds:
        - subnet-abc
        - subnet-def
```

```yaml
Parameters:
  ADPassword:
    Type: String
    NoEcho: true

MyDirectory:
  Type: AWS::DirectoryService::MicrosoftAD
  Properties:
    Name: corp.example.com
    Password: !Ref ADPassword
    VpcSettings:
      VpcId: vpc-123456
      SubnetIds:
        - subnet-abc
        - subnet-def
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  NewAmpApp-1:
      Type: AWS::DirectoryService::MicrosoftAD
      Properties:
          CreateAlias: true
          Edition: String
          EnableSso: true
          Name: String
          Password: !Ref ParentMasterPassword
          ShortName: String
```

```yaml

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  NewAmpApp-1:
    Type: AWS::DirectoryService::MicrosoftAD
    Properties:
      CreateAlias: true
      Edition: String
      EnableSso: true
      Name: String
      Password: !Ref ParentMasterPassword
      ShortName: String
```

```yaml

Resources:
    NewAmpApp-2:
        Type: AWS::DirectoryService::MicrosoftAD
        Properties:
            CreateAlias: true
            Edition: String
            EnableSso: true
            Name: String
            Password:  !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
            ShortName: String
    MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
Parameters:
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  NewAmpApp-2:
      Type: AWS::DirectoryService::MicrosoftAD
      Properties:
          CreateAlias: true
          Edition: String
          EnableSso: true
          Name: String
          Password: 'asDjskjs73!!'
          ShortName: String
```

```yaml
Resources:
  NewAmpApp:
      Type: AWS::DirectoryService::MicrosoftAD
      Properties:
          CreateAlias: true
          Edition: String
          EnableSso: true
          Name: String
          Password: 'asDjskjs73!!'
          ShortName: String
```

```yaml
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: 'asDjskjs73!'
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  NewAmpApp-1:
      Type: AWS::DirectoryService::MicrosoftAD
      Properties:
          CreateAlias: true
          EnableSso: true
          Edition: String
          Name: String
          Password: !Ref ParentMasterPassword
          ShortName: String
```