For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-docdb-cluster-master-password-in-plaintext.md. A documentation index is available at /llms.txt.

DocDB cluster master password in plaintext

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-docdb-cluster-master-password-in-plaintext

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Secret Management

Learn More

Description

Amazon DocumentDB (AWS::DocDB::DBCluster) master user passwords must not be embedded as plaintext in the template or stored as parameter Default values. Exposed credentials in IaC or parameter defaults can be checked into source control or viewed in consoles and lead to unauthorized database access.

For AWS::DocDB::DBCluster resources, validate Resources.<name>.Properties.MasterUserPassword. It must reference an AWS Secrets Manager secret or a parameter that does not define a Default. When using a parameter for passwords, set NoEcho: true and omit Default. Alternatively, use a Secrets Manager dynamic reference or an AWS::SecretsManager::Secret resource and reference its secret value.

Resources with MasterUserPassword set to a literal string, or parameters that include a password-like Default, will be flagged.

Secure examples:

Parameters:
  DBPassword:
    Type: String
    NoEcho: true

Resources:
  MyDBCluster:
    Type: AWS::DocDB::DBCluster
    Properties:
      MasterUsername: admin
      MasterUserPassword: !Ref DBPassword

Resources:
  MyDBCluster:
    Type: AWS::DocDB::DBCluster
    Properties:
      MasterUsername: admin
      MasterUserPassword: '{{resolve:secretsmanager:my-db-secret:SecretString:password}}'

Compliant Code Examples

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: ''
Resources:
  NewAmpApp1:
    Type: AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: !Ref ParentMasterPassword
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true

{
  "Parameters": {
    "ParentAccessToken": {
      "Description": "Access Token",
      "Type": "String",
      "Default": ""
    }
  },
  "Resources": {
    "NewAmpApp4": {
      "Type": "AWS::Amplify::App",
      "Properties": {
        "AccessToken": "ParentAccessToken",
        "Description": "String",
        "Repository": "String",
        "OauthToken": "String",
        "BuildSpec": "String",
        "CustomHeaders": "String",
        "EnableBranchAutoDeletion": true,
        "IAMServiceRole": "String",
        "Name": "NewAmpApp"
      }
    }
  }
}

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
Resources:
  NewAmpApp1:
    Type: AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: !Ref ParentMasterPassword
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true

Non-Compliant Code Examples

Resources:
  NewAmpApp:
    Type:  AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: 'asDjskjs73!!'
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true

Parameters:
  ParentMasterPassword:
    Description: 'Password'
    Type: String
    Default: 'asDjskjs73!'
Resources:
  NewAmpApp1:
    Type: AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: !Ref ParentMasterPassword
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true

Resources:
  NewAmpApp03:
    Type:  AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: "sample-cluster"
      DBClusterParameterGroupName: "default.docdb3.6"
      DBSubnetGroupName: "default"
      DeletionProtection: true
      KmsKeyId: "your-kms-key-id"
      MasterUsername: "your-master-username"
      MasterUserPassword: 'asDjskjs73!!'
      Port: 27017
      PreferredBackupWindow: "07:34-08:04"
      PreferredMaintenanceWindow: "sat:04:51-sat:05:21"
      SnapshotIdentifier: "sample-cluster-snapshot-id"
      StorageEncrypted: true