Terraform Weak Secret Configuration
Description
Detects weak or insecure configurations when generating random passwords using AWS Secrets Manager in Terraform. This vulnerability occurs when AWS Secrets Manager random password resource is configured with insufficient security parameters, potentially resulting in weaker passwords that could be more susceptible to brute force attacks.
Detection Strategy
• Look for Terraform resource declarations of type 'aws_secretsmanager_random_password'
• Check if the resource configuration has weak password generation parameters
• Report a vulnerability if the password generation settings do not meet security requirements (e.g., insufficient length, limited character sets, or weak requirements)
Vulnerable code example
data "aws_secretsmanager_random_password" "unsafe_generator" {
password_length = 12
exclude_numbers = true # Reducing password complexity by excluding numbers
exclude_lowercase = true # Further weakening by excluding lowercase letters
require_each_included_type = false # Not enforcing character type requirements
exclude_characters = "0123456789"
}✅ Secure code example
data "aws_secretsmanager_random_password" "secure_generator" {
password_length = 32 # Increased length for better entropy
exclude_numbers = false # Include numbers for complexity
exclude_lowercase = false # Include lowercase for complexity
require_each_included_type = true # Enforce mix of character types
exclude_characters = "\"'\\/" # Only exclude problematic chars
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.