Ensure CloudFormation outputs do not expose secrets
Error: CloudFormation outputs expose secrets
Bridgecrew Policy ID: BC_AWS_SECRETS_2
Severity: HIGH
CloudFormation outputs expose secrets
Description
CloudFormation outputs contain the results of the template that was created. These outputs may contain secrets, for example, user names, passwords, and tokens. The outputs cannot be encrypted, resulting in any entity with basic read-metadata-only, and access to CloudFormation outputs, having access to these secrets.
We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.
Fix - Runtime
CLI Command
To see the secret, run the following CLI command:
aws cloudformation --region <REGION> describe-stacks --stack-name <STACK_NAME>
Updated about 2 years ago