Deployment exposes secrets with outer deployment

Security · Deployment · Rule · 2022_12 · Critical

Outer evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments.

Description

Template child deployments can be scoped as either outer or inner. When using outer scope evaluated deployments, parameters from the parent template are used directly within nested templates instead of enforcing secureString and secureObject types.

When passing secure values to nested deployments always use inner scope deployments to ensure secure values are not logging. Bicep modules always use inner scope evaluated deployments.

Secret rotation — SE:09 Application secrets

If a secret has already been exposed by a previous insecure deployment, rotate it immediately to prevent unauthorized access to your resources.

Rotating a secret involves changing or regenerating the secret value and updating all dependent resources with the new value. This process should be done in a secure manner to prevent the new secret from being exposed.

Recommendation

Consider using inner deployments to prevent secure values from being exposed.

Examples

Configure with Azure template

Nested Deployments within an ARM template need the property expressionEvaluationOptions.Scope to be set to inner.

Azure Template snippet

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "adminUsername": {
            "type": "securestring",
            "defaultValue": "admin"
        }
    },
    "resources": [
         {
            "name": "nestedDeployment-A",
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-10-01",
            "properties": {
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                        "adminUsername": {
                            "type": "securestring",
                            "defaultValue": "password"
                        }
                    },
                    "variables": {},
                    "resources": [
                        {
                            "apiVersion": "2019-12-01",
                            "type": "Microsoft.Compute/virtualMachines",
                            "name": "vm-example",
                            "location": "australiaeast",
                            "properties": {
                                "osProfile": {
                                    "computerName": "vm-example",
                                    "adminUsername": "[parameters('adminUsername')]"
                                }
                            }
                        }
                    ]
                }
            }
        }
    ]
}

Configure with Bicep

This does not apply to Bicep code as under normal circumstances. If you use the module keyword your deployments always use the inner evaluation mode.

Links

• SE:02 Secured development lifecycle
• Azure deployment reference
• Deployment Function Scopes

Comments