--- title: DocDB cluster master password in plaintext description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DocDB cluster master password in plaintext --- # DocDB cluster master password in plaintext {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-docdb-cluster-master-password-in-plaintext` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Secret Management #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html) ### Description{% #description %} Amazon DocumentDB (`AWS::DocDB::DBCluster`) master user passwords must not be embedded as plaintext in the template or stored as parameter `Default` values. Exposed credentials in IaC or parameter defaults can be checked into source control or viewed in consoles and lead to unauthorized database access. For `AWS::DocDB::DBCluster` resources, validate `Resources..Properties.MasterUserPassword`. It must reference an AWS Secrets Manager secret or a parameter that does not define a `Default`. When using a parameter for passwords, set `NoEcho: true` and omit `Default`. Alternatively, use a Secrets Manager dynamic reference or an `AWS::SecretsManager::Secret` resource and reference its secret value. Resources with `MasterUserPassword` set to a literal string, or parameters that include a password-like `Default`, will be flagged. Secure examples: ```yaml Parameters: DBPassword: Type: String NoEcho: true Resources: MyDBCluster: Type: AWS::DocDB::DBCluster Properties: MasterUsername: admin MasterUserPassword: !Ref DBPassword ``` ```yaml Resources: MyDBCluster: Type: AWS::DocDB::DBCluster Properties: MasterUsername: admin MasterUserPassword: '{{resolve:secretsmanager:my-db-secret:SecretString:password}}' ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Parameters: ParentMasterPassword: Description: 'Password' Type: String Default: '' Resources: NewAmpApp1: Type: AWS::DocDB::DBCluster Properties: BackupRetentionPeriod: 8 DBClusterIdentifier: "sample-cluster" DBClusterParameterGroupName: "default.docdb3.6" DBSubnetGroupName: "default" DeletionProtection: true KmsKeyId: "your-kms-key-id" MasterUsername: "your-master-username" MasterUserPassword: !Ref ParentMasterPassword Port: 27017 PreferredBackupWindow: "07:34-08:04" PreferredMaintenanceWindow: "sat:04:51-sat:05:21" SnapshotIdentifier: "sample-cluster-snapshot-id" StorageEncrypted: true ``` ```json { "Parameters": { "ParentAccessToken": { "Description": "Access Token", "Type": "String", "Default": "" } }, "Resources": { "NewAmpApp4": { "Type": "AWS::Amplify::App", "Properties": { "AccessToken": "ParentAccessToken", "Description": "String", "Repository": "String", "OauthToken": "String", "BuildSpec": "String", "CustomHeaders": "String", "EnableBranchAutoDeletion": true, "IAMServiceRole": "String", "Name": "NewAmpApp" } } } } ``` ```yaml Parameters: ParentMasterPassword: Description: 'Password' Type: String Resources: NewAmpApp1: Type: AWS::DocDB::DBCluster Properties: BackupRetentionPeriod: 8 DBClusterIdentifier: "sample-cluster" DBClusterParameterGroupName: "default.docdb3.6" DBSubnetGroupName: "default" DeletionProtection: true KmsKeyId: "your-kms-key-id" MasterUsername: "your-master-username" MasterUserPassword: !Ref ParentMasterPassword Port: 27017 PreferredBackupWindow: "07:34-08:04" PreferredMaintenanceWindow: "sat:04:51-sat:05:21" SnapshotIdentifier: "sample-cluster-snapshot-id" StorageEncrypted: true ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Resources: NewAmpApp: Type: AWS::DocDB::DBCluster Properties: BackupRetentionPeriod: 8 DBClusterIdentifier: "sample-cluster" DBClusterParameterGroupName: "default.docdb3.6" DBSubnetGroupName: "default" DeletionProtection: true KmsKeyId: "your-kms-key-id" MasterUsername: "your-master-username" MasterUserPassword: 'asDjskjs73!!' Port: 27017 PreferredBackupWindow: "07:34-08:04" PreferredMaintenanceWindow: "sat:04:51-sat:05:21" SnapshotIdentifier: "sample-cluster-snapshot-id" StorageEncrypted: true ``` ```yaml Parameters: ParentMasterPassword: Description: 'Password' Type: String Default: 'asDjskjs73!' Resources: NewAmpApp1: Type: AWS::DocDB::DBCluster Properties: BackupRetentionPeriod: 8 DBClusterIdentifier: "sample-cluster" DBClusterParameterGroupName: "default.docdb3.6" DBSubnetGroupName: "default" DeletionProtection: true KmsKeyId: "your-kms-key-id" MasterUsername: "your-master-username" MasterUserPassword: !Ref ParentMasterPassword Port: 27017 PreferredBackupWindow: "07:34-08:04" PreferredMaintenanceWindow: "sat:04:51-sat:05:21" SnapshotIdentifier: "sample-cluster-snapshot-id" StorageEncrypted: true ``` ```yaml Resources: NewAmpApp03: Type: AWS::DocDB::DBCluster Properties: BackupRetentionPeriod: 8 DBClusterIdentifier: "sample-cluster" DBClusterParameterGroupName: "default.docdb3.6" DBSubnetGroupName: "default" DeletionProtection: true KmsKeyId: "your-kms-key-id" MasterUsername: "your-master-username" MasterUserPassword: 'asDjskjs73!!' Port: 27017 PreferredBackupWindow: "07:34-08:04" PreferredMaintenanceWindow: "sat:04:51-sat:05:21" SnapshotIdentifier: "sample-cluster-snapshot-id" StorageEncrypted: true ```