For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-directory-service-simple-ad-password-exposed.md.
A documentation index is available at /llms.txt.
Storing AWS Directory Service Simple AD passwords in plaintext or as parameter Default values in CloudFormation exposes directory credentials to anyone who can read the template or parameter defaults. This can enable unauthorized access, lateral movement, and credential leakage via template repositories or build logs.
For AWS::DirectoryService::SimpleAD resources, Properties.Password must not be a hard-coded string or a reference to a parameter that defines a Default value. Instead, provide the secret via a secrets service or as a parameter with no Default so it is supplied at deployment time.
Resources will be flagged if Properties.Password is a literal password string, if it Refs a parameter whose Parameters.<name>.Default contains a password-like value, or if the value is not backed by an AWS Secrets Manager or secure parameter reference.
Secure examples include referencing an AWS Secrets Manager secret via a dynamic reference or using a parameter without a Default and supplying the password at deploy time.
Resources:NewAmpApp3:Type:AWS::DirectoryService::SimpleADProperties:CreateAlias:trueDescription:StringEnableSso:trueName:StringPassword:!Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'ShortName:StringSize:StringMyAmpAppSecretManagerRotater:Type:AWS::SecretsManager::SecretProperties:Description:'This is my amp app instance secret'GenerateSecretString:SecretStringTemplate:'{"username": "admin"}'GenerateStringKey:'password'PasswordLength:16ExcludeCharacters:'"@/\'
