---
title: DMS endpoint password exposed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > DMS endpoint password exposed
---

# DMS endpoint password exposed

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-dms-endpoint-password-exposed` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** High

**Category:** Secret Management

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-endpoint.html)

### Description{% #description %}

Storing AWS DMS endpoint passwords as plaintext in a template or embedding them as a parameter `Default` exposes credentials in source control, CloudFormation templates, and stack metadata. This increases the risk of unauthorized access to database resources.

For `AWS::DMS::Endpoint` resources, `Properties.Password` must not be a plain string literal or a `Ref` to a `Parameters.<Name>` that defines a `Default` value. Instead, `Password` should reference an AWS Secrets Manager secret or be supplied via a CloudFormation parameter without a `Default` (use `NoEcho` set to `true` to avoid echoing).

Resources that contain plaintext passwords or parameter references with defaults will be flagged as insecure. Acceptable secure patterns include dynamic Secrets Manager references or parameters provided at deployment time.

Secure examples (CloudFormation YAML):

```yaml
Parameters:
  DbPassword:
    Type: String
    NoEcho: true

MyDmsEndpoint:
  Type: AWS::DMS::Endpoint
  Properties:
    EndpointIdentifier: my-endpoint
    EngineName: mysql
    Username: dbuser
    Password: !Ref DbPassword
```

```yaml
MyDmsEndpoint:
  Type: AWS::DMS::Endpoint
  Properties:
    EndpointIdentifier: my-endpoint
    EngineName: mysql
    Username: dbuser
    Password: "{{resolve:secretsmanager:my-db-secret:SecretString:password}}"
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint1:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
```

```yaml
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username'
Resources:
  DMSEndpoint2:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
```

```yaml
Resources:
    DMSEndpoint3:
      Type: AWS::DMS::Endpoint
      Properties:
        CertificateArn: String
        DatabaseName: String
        EndpointIdentifier: String
        EndpointType: String
        EngineName: String
        ExtraConnectionAttributes: String
        KafkaSettings:
          KafkaSettings
        KinesisSettings:
          KinesisSettings
        KmsKeyId: String
        MongoDbSettings:
          MongoDbSettings
        NeptuneSettings:
          NeptuneSettings
        Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
        Port: 80
        S3Settings:
          S3Settings
        ServerName: String
        SslMode: String
        Tags:
          - Tag
        Username: String
    MyAmpAppSecretManagerRotater:
        Type: AWS::SecretsManager::Secret
        Properties:
          Description: 'This is my amp app instance secret'
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: 'password'
            PasswordLength: 16
            ExcludeCharacters: '"@/\'
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
Resources:
  DMSEndpoint4:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
```

```yaml
Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: 'asDjskjs73!'
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint5:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: !Ref ParentMasterPassword
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
```

```yaml
Parameters:
  ParentMasterUsername:
    Description: 'username'
    Type: String
    Default: 'username!'
Resources:
  DMSEndpoint6:
    Type: AWS::DMS::Endpoint
    Properties:
      CertificateArn: String
      DatabaseName: String
      EndpointIdentifier: String
      EndpointType: String
      EngineName: String
      ExtraConnectionAttributes: String
      KafkaSettings:
        KafkaSettings
      KinesisSettings:
        KinesisSettings
      KmsKeyId: String
      MongoDbSettings:
        MongoDbSettings
      NeptuneSettings:
        NeptuneSettings
      Password: 'asDjskjs73!!'
      Port: 80
      S3Settings:
        S3Settings
      ServerName: String
      SslMode: String
      Tags:
        - Tag
      Username: String
```