Json Yaml Weak Secret Configuration
Description
Identifies AWS CloudFormation templates that contain AWS Secrets Manager secrets with weak secret string generation configurations. This could lead to predictable or insufficiently random secret values being generated, potentially compromising the security of systems that rely on these secrets.
Detection Strategy
• Scan CloudFormation template files for AWS::SecretsManager::Secret resource definitions
• Check if the GenerateSecretString property in the secret resource has insecure configuration settings
• Report a vulnerability if password generation parameters are missing or configured with weak settings (such as insufficient length or character requirements)
Vulnerable code example
Resources:
MySecret1:
Type: AWS::SecretsManager::Secret
Properties:
Name: MySecretForAppA
Description: Secret with weak password policy
GenerateSecretString:
SecretStringTemplate: '{"username":"admin"}'...✅ Secure code example
Resources:
MySecret1:
Type: AWS::SecretsManager::Secret
Properties:
Name: MySecretForAppA
Description: Secret with strong password policy
GenerateSecretString:
SecretStringTemplate: '{"username":"admin"}'...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.