logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Use of an insecure channel - Cloud Infrastructure - Cloudformation

Need

Secure communication channels for data transmission in AWS

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS SDK for interacting with Amazon Web Services

Description

Insecure Code Example

Parameters:
  AccessKey:
    Type: String
    Default: "my-access-key"
  SecretKey:
    Type: String
    Default: "my-secret-key"

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      Tags:
        - Key: Name
          Value: example-instance

In the above CloudFormation configuration, sensitive credentials such as the AWS access key and secret key are embedded directly into the template. This practice exposes those secrets to version control systems, unauthorized viewers, and increases the risk of compromise. Furthermore, there is no enforcement of secure communication between the infrastructure client and AWS services. Without explicit mention of SSL/TLS configuration or other secure transport methods, it is assumed that the communication may occur over insecure channels, making it vulnerable to Man-in-the-Middle (MitM) attacks and data interception.

Steps

  1. Use HTTPS instead of HTTP for communication with AWS services
  2. Enable encryption in transit by configuring SSL/TLS for the communication channel
  3. Ensure that secure cipher suites and encryption protocols are used
  4. Implement mutual authentication to verify the identity of the remote end of the connection
  5. Avoid hardcoding access keys and secret keys in the code, instead use secure credential management solutions

Secure Code Example

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      Tags:
        - Key: Name
          Value: example-instance
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            VolumeSize: 8
            Encrypted: true

This updated CloudFormation snippet avoids embedding sensitive credentials in the template. Instead, credentials are assumed to be provided via IAM roles assigned to the instance or injected securely through environment variables or Secrets Manager, outside of the template itself. Additionally, an encrypted EBS volume is configured for the instance to protect data at rest. Secure communication with AWS services is implicitly enforced when using the AWS SDKs and tools that default to HTTPS with TLS encryption. Best practices include using IAM roles for EC2 and encrypting all sensitive data both at rest and in transit.

References

  • 281 - Use of an insecure channel - Cloud Infrastructure

    • Last updated

    2025/04/04