For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-dms-endpoint-password-exposed.md. A documentation index is available at /llms.txt.

DMS endpoint password exposed

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-dms-endpoint-password-exposed

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Secret Management

Learn More

Description

Storing AWS DMS endpoint passwords as plaintext in a template or embedding them as a parameter Default exposes credentials in source control, CloudFormation templates, and stack metadata. This increases the risk of unauthorized access to database resources.

For AWS::DMS::Endpoint resources, Properties.Password must not be a plain string literal or a Ref to a Parameters.<Name> that defines a Default value. Instead, Password should reference an AWS Secrets Manager secret or be supplied via a CloudFormation parameter without a Default (use NoEcho set to true to avoid echoing).

Resources that contain plaintext passwords or parameter references with defaults will be flagged as insecure. Acceptable secure patterns include dynamic Secrets Manager references or parameters provided at deployment time.

Secure examples (CloudFormation YAML):

Parameters:
  DbPassword:
    Type: String
    NoEcho: true

MyDmsEndpoint:
  Type: AWS::DMS::Endpoint
  Properties:
    EndpointIdentifier: my-endpoint
    EngineName: mysql
    Username: dbuser
    Password: !Ref DbPassword

MyDmsEndpoint:
  Type: AWS::DMS::Endpoint
  Properties:
    EndpointIdentifier: my-endpoint
    EngineName: mysql
    Username: dbuser
    Password: "{{resolve:secretsmanager:my-db-secret:SecretString:password}}"

Compliant Code Examples

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint1:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  DMSEndpoint2:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Resources:
    DMSEndpoint3:
      Type: AWS::DMS::Endpoint
      Properties:
        CertificateArn: String
        DatabaseName: String
        EndpointIdentifier: String
        EndpointType: String
        EngineName: String
        ExtraConnectionAttributes: String
        KafkaSettings:
          KafkaSettings
        KinesisSettings:
          KinesisSettings
        KmsKeyId: String
        MongoDbSettings:
          MongoDbSettings
        NeptuneSettings:
          NeptuneSettings
        Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
        Port: 80
        S3Settings:
          S3Settings
        ServerName: String
        SslMode: String
        Tags:
          - Tag
        Username: String
    MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'

Non-Compliant Code Examples

Resources:
  DMSEndpoint4:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: 'asDjskjs73!'
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint5:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String

Parameters:
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint6:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String