Use secure parameters for sensitive information#
Security · Deployment · Rule · 2023_12 · Critical
Use secure parameters for any parameter that contains sensitive information.
Description#
Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure.
When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters.
Secure parameters use the secureString
or secureObject
type.
Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.
Recommendation#
Consider using secure parameters for parameters that contain sensitive information.
Examples#
Configure with Azure template#
To configure deployments that pass this rule:
- Set the type of sensitive parameters to
secureString
orsecureObject
.
For example:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secret": {
"type": "secureString"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2022-07-01",
"name": "keyvault/good",
"properties": {
"value": "[parameters('secret')]"
}
}
]
}
Configure with Bicep#
To configure deployments that pass this rule:
- Add the
@secure()
attribute on sensitive parameters.
For example:
@secure()
param secret string
resource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
parent: vault
name: 'good'
properties: {
value: secret
}
}
Notes#
This rule uses a heuristics to determine if a parameter should use a secure type:
- Parameters with the type
int
orbool
are ignored regardless of how they are named. - Any parameter with a name containing
password
,secret
, ortoken
will be considered sensitive.- Except parameter names containing any of the following:
length
,interval
,secretname
,secreturl
,secreturi
,secrettype
,secretrotation
,secretprovider
,secretsprovider
,secretref
,secretid
,disablepassword
,sync*passwords
,tokenname
,tokentype
,keyvaultpath
,keyvaultname
, orkeyvaulturi
.
- Except parameter names containing any of the following:
- Any parameter with a name ending in
key
orkeys
will be considered sensitive.- Except parameter names ending in
publickey
orpublickeys
.
- Except parameter names ending in
Rule configuration#
AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES
If you identify a parameter that is not sensitive, and is incorrectly flagged by this rule, you can override the rule. To override this rule:
- Set the
AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES
configuration value to identify parameters that are not sensitive.
Links#
- SE:02 Secured development lifecycle
- Use Azure Key Vault to pass secure parameter value during Bicep deployment
- Integrate Azure Key Vault in your ARM template deployment