Skip to content

Deployment exposes a secret in output#

Security · Deployment · Rule · 2022_06 · Critical

Outputting a sensitive value from deployment may leak secrets into deployment history or logs.

Description#

This rule checks for cases when a sensitive value is output from a deployment. For example, if a parameter is marked as secure and then assigned to an output value.

Don't include any values in an ARM template or Bicep output that could potentially expose sensitive information. The output from each deployment is stored in the deployment history. If the output contains sensitive information, the output value is leaked to the deployment history.

Examples of secrets are:

  • Parameters using the secureString or secureObject type.
  • Output from list* functions such as listKeys.

Outputs are recorded in clear texts within deployment history and logs. Logs are often exposed at multiple levels including CI pipeline logs, Azure Activity Logs, and SIEM systems.

Secret rotation — SE:09 Application secrets

If a secret has already been exposed by a previous insecure deployment, rotate it immediately to prevent unauthorized access to your resources.

Rotating a secret involves changing or regenerating the secret value and updating all dependent resources with the new value. This process should be done in a secure manner to prevent the new secret from being exposed.

Recommendation#

Consider removing any output values that return secret values in code.

Examples#

Configure with Bicep#

To deploy securely pass secrets within Infrastructure as Code:

  • Add the @secure() decorators on sensitive parameters.
  • Avoid returning a secret in output values.

Example using @secure() annotation:

Azure Bicep snippet
@secure()
@description('Local administrator password for virtual machine.')
param adminPassword string

The following example fails because it returns a secret:

Azure Bicep snippet
output accountPassword string = adminPassword

Configure with Azure template#

To deploy securely pass secrets within Infrastructure as Code:

  • Define parameters with the secureString or secureObject type.
  • Avoid returning a secret in output values.

Example using secureString type:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Local administrator password for virtual machine."
      }
    }
  },
  "resources": []
}

The following example fails because it returns a secret:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Local administrator password for virtual machine."
      }
    }
  },
  "resources": [],
  "outputs": {
    "accountPassword": {
      "type": "string",
      "value": "[parameters('adminPassword')]"
    }
  }
}

Notes#

When using Bicep, the built-in linter will also automatically check for common cases when secrets are output from a deployment.

Comments