Skip to content

Deployment parameter name implies it is secret but is a non-secure value#

Security · Deployment · Rule · 2023_12 · Critical

Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs.

Description#

Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the @secure decorator in Bicep or the secureString / secureObject type.

Parameters that do not use secure types are recorded in deployment history and logs. These values can be retrieved by anyone with read access to the deployment history and logs.

Secret rotation — SE:09 Application secrets

If a secret has already been exposed by a previous insecure deployment, rotate it immediately to prevent unauthorized access to your resources.

Rotating a secret involves changing or regenerating the secret value and updating all dependent resources with the new value. This process should be done in a secure manner to prevent the new secret from being exposed.

Recommendation#

Consider using secure parameters for any parameter that contain sensitive information.

Examples#

Configure with Azure template#

To configure deployments that pass this rule:

  • Set the type of sensitive parameters to secureString or secureObject.

For example:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "secret": {
      "type": "secureString"
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "apiVersion": "2022-07-01",
      "name": "keyvault/good",
      "properties": {
        "value": "[parameters('secret')]"
      }
    }
  ]
}

Configure with Bicep#

To configure deployments that pass this rule:

  • Add the @secure() decorators on sensitive parameters.

For example:

Azure Bicep snippet
@secure()
param secret string

resource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
  parent: vault
  name: 'good'
  properties: {
    value: secret
  }
}

Notes#

This rule uses a heuristics to determine if a parameter should use a secure type:

  • Parameters with the type int or bool are ignored regardless of how they are named.
  • Parameters named ending with name, uri, url, path, type, id, or options are ignored.
  • Any remaining parameters with a name containing password, secret, or token will be considered sensitive. Except if they contains any of the following in sequences in their name: length, interval, secretname, secreturl, secreturi, secrettype, secretrotation, secretprovider, secretsprovider, secretref, secretid, disablepassword, sync*passwords, tokenname, tokentype, keyvaultpath, keyvaultname, or keyvaulturi.
  • Any remaining parameters with a name ending in key or keys will be considered sensitive. Except for:
    • The customermanagedkey parameter.
    • Parameter names ending in publickey or publickeys.

Rule configuration#

AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES

If you identify a parameter that is not sensitive, and is incorrectly flagged by this rule, you can override the rule. To override this rule:

  • Set the AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES configuration value to identify parameters that are not sensitive.

Comments