Deployment uses deterministic credential values#
Security · Deployment · Rule · 2022_09 · Awareness
A sensitive property set from deterministic or hardcoded values is not secure.
Description#
Resource properties can be configured using a hardcoded value or Azure Bicep/ template expressions.
When specifying sensitive values use secure parameters.
Secure parameters use the @secure decorator in Bicep or the secureString / secureObject type.
Sensitive values that use deterministic expressions such as hardcoded string literals or variables are not secure. These values can be read by anyone with read access to deployment history or logs. Logs are often exposed at multiple levels including CI pipeline logs, Azure Activity Logs, and SIEM systems.
Secret rotation — SE:09 Application secrets
If a secret has already been exposed by a previous insecure deployment, rotate it immediately to prevent unauthorized access to your resources.
Rotating a secret involves changing or regenerating the secret value and updating all dependent resources with the new value. This process should be done in a secure manner to prevent the new secret from being exposed.
Recommendation#
Sensitive properties should be passed as parameters. Avoid using deterministic or hardcoded values for sensitive properties.
Examples#
Configure with Azure template#
To configure deployments that pass this rule:
- Set the
typeof parameters used set sensitive resource properties tosecureStringorsecureObject.
For example:
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"zones": [
"1"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D2s_v3"
},
"osProfile": {
"computerName": "[parameters('name')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "[parameters('sku')]",
"version": "latest"
},
"osDisk": {
"name": "[format('{0}-disk0', parameters('name'))]",
"caching": "ReadWrite",
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "Premium_LRS"
}
}
},
"licenseType": "Windows_Server",
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
]
}
Configure with Bicep#
To configure deployments that pass this rule:
- Add the
@secure()decorators on parameters used to set sensitive resource properties.
For example:
@secure()
@description('The name of the local administrator account.')
param adminUsername string
@secure()
@description('A password for the local administrator account.')
param adminPassword string
resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {
name: name
location: location
zones: [
'1'
]
properties: {
hardwareProfile: {
vmSize: 'Standard_D2s_v3'
}
osProfile: {
computerName: name
adminUsername: adminUsername
adminPassword: adminPassword
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftWindowsServer'
offer: 'WindowsServer'
sku: sku
version: 'latest'
}
osDisk: {
name: '${name}-disk0'
caching: 'ReadWrite'
createOption: 'FromImage'
managedDisk: {
storageAccountType: 'Premium_LRS'
}
}
}
licenseType: 'Windows_Server'
networkProfile: {
networkInterfaces: [
{
id: nic.id
}
]
}
}
}
Notes#
Rule configuration#
AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES
Configure AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES to specify sensitive property names.
By default, the following values are used:
adminUsernameadministratorLoginadministratorLoginPassword
Links#
- SE:02 Secured development lifecycle
- Use Azure Key Vault to pass secure parameter value during Bicep deployment
- Integrate Azure Key Vault in your ARM template deployment