Skip to content

Deployment sets a secret property with a non-secure value#

Security · Deployment · Rule · 2024_12 · Critical

A secret property set from a non-secure value may leak the secret into deployment history or logs.

Description#

Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the @secure decorator in Bicep or the secureString / secureObject type.

Parameters that do not use secure types are recorded in deployment history and logs. These values can be retrieved by anyone with read access to the deployment history and logs. Logs are often exposed at multiple levels including CI pipeline logs, Azure Activity Logs, and SIEM systems.

Secret rotation — SE:09 Application secrets

If a secret has already been exposed by a previous insecure deployment, rotate it immediately to prevent unauthorized access to your resources.

Rotating a secret involves changing or regenerating the secret value and updating all dependent resources with the new value. This process should be done in a secure manner to prevent the new secret from being exposed.

Recommendation#

Consider using secure parameters for setting the value of any sensitive resource properties.

Examples#

Configure with Azure template#

To configure deployments that pass this rule:

  • Set the type of parameters used set sensitive resource properties to secureString or secureObject.

For example:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "secret": {
      "type": "secureString"
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "apiVersion": "2022-07-01",
      "name": "keyvault/good",
      "properties": {
        "value": "[parameters('secret')]"
      }
    }
  ]
}

Configure with Bicep#

To configure deployments that pass this rule:

  • Add the @secure() decorators on parameters used to set sensitive resource properties.

For example:

Azure Bicep snippet
@secure()
param secret string

resource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
  name: 'keyvault/good'
  properties: {
    value: secret
  }
}

Notes#

For a list of resource types and properties that are checked by this rule see secret properties. If you find properties that are missing, please let us know by logging an issue on GitHub.

Comments