IAM user LoginProfile password is in plaintext This product is not supported for your selected
Datadog site . (
).
Id: cloudformation-aws-iam-user-login-profile-password-is-in-plaintext
Provider: AWS
Platform: CloudFormation
Severity: High
Category: Secret Management
Learn More Description Defining an IAM user’s console password as a plaintext string in an AWS CloudFormation template embeds credentials in source control and template history, increasing the risk of credential leakage and unauthorized account access. For AWS::IAM::User resources, Properties.LoginProfile.Password must not be a string literal. Resources where Properties.LoginProfile.Password is a literal string will be flagged. Use an AWS Secrets Manager dynamic reference to supply the password so it is not stored directly in the template.
Secure configuration example using a Secrets Manager dynamic reference:
MyUser :
Type : AWS::IAM::User
Properties :
UserName : example-user
LoginProfile :
Password : "{{resolve:secretsmanager:my-app/iam/user-password:SecretString:password}}"
PasswordResetRequired : true
Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : A sample template
Resources :
myTopuser :
Type : AWS::IAM::User
Properties :
Path : "/"
LoginProfile :
Password :
- !Ref NoEcho
PasswordResetRequired : false
Policies :
- PolicyName : giveaccesstoqueueonly
PolicyDocument :
Version : '2012-10-17'
Statement :
- Effect : Allow
Action :
- sqs:*
Resource :
- !GetAtt myqueue.Arn
- Effect : Deny
Action :
- sqs:*
NotResource :
- !GetAtt myqueue.Arn
AWSTemplateFormatVersion : "2010-09-09"
Description : A sample template
Resources :
myNewuser :
Type : AWS::IAM::User
Properties :
Path : "/"
LoginProfile :
Password :
- !Ref secretsmanager
PasswordResetRequired : false
Policies :
- PolicyName : giveaccesstoqueueonly
PolicyDocument :
Version : '2012-10-17'
Statement :
- Effect : Allow
Action :
- sqs:*
Resource :
- !GetAtt myqueue.Arn
- Effect : Deny
Action :
- sqs:*
NotResource :
- !GetAtt myqueue.Arn
{
"AWSTemplateFormatVersion" : "2010-09-09" ,
"Description" : "A sample template" ,
"Resources" : {
"myTopuser" : {
"Type" : "AWS::IAM::User" ,
"Properties" : {
"Path" : "/" ,
"LoginProfile" : {
"Password" : [
"NoEcho"
],
"PasswordResetRequired" : false
},
"Policies" : [
{
"PolicyName" : "giveaccesstoqueueonly" ,
"PolicyDocument" : {
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Action" : [
"sqs:*"
],
"Resource" : [
"myqueue.Arn"
]
},
{
"Effect" : "Deny" ,
"Action" : [
"sqs:*"
],
"NotResource" : [
"myqueue.Arn"
]
}
]
}
}
]
}
}
}
}
Non-Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : A sample template
Resources :
myuser :
Type : AWS::IAM::User
Properties :
Path : "/"
LoginProfile :
Password : myP@ssW0rd
PasswordResetRequired : false
Policies :
- PolicyName : giveaccesstoqueueonly
PolicyDocument :
Version : '2012-10-17'
Statement :
- Effect : Allow
Action :
- sqs:*
Resource :
- !GetAtt myqueue.Arn
- Effect : Deny
Action :
- sqs:*
NotResource :
- !GetAtt myqueue.Arn
{
"AWSTemplateFormatVersion" : "2010-09-09" ,
"Description" : "A sample template" ,
"Resources" : {
"myuser" : {
"Type" : "AWS::IAM::User" ,
"Properties" : {
"LoginProfile" : {
"Password" : "myP@ssW0rd" ,
"PasswordResetRequired" : false
},
"Policies" : [
{
"PolicyName" : "giveaccesstoqueueonly" ,
"PolicyDocument" : {
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Action" : [
"sqs:*"
],
"Resource" : [
"myqueue.Arn"
]
},
{
"Effect" : "Deny" ,
"Action" : [
"sqs:*"
],
"NotResource" : [
"myqueue.Arn"
]
}
]
}
}
],
"Path" : "/"
}
}
}
}
