Use secure resource values#
Security · Deployment · Rule · 2022_12 · Critical
Use secure parameters for setting properties of resources that contain sensitive information.
Description#
Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure.
When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters.
Secure parameters use the secureString or secureObject type.
Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.
Recommendation#
Consider using secure parameters for sensitive resource properties.
Examples#
Configure with Azure template#
To configure deployments that pass this rule:
- Set the type of parameters used set sensitive resource properties to
secureStringorsecureObject.
For example:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secret": {
"type": "secureString"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2022-07-01",
"name": "keyvault/good",
"properties": {
"value": "[parameters('secret')]"
}
}
]
}
Configure with Bicep#
To configure deployments that pass this rule:
- Add the
@secure()attribute on parameters used to set sensitive resource properties.
For example:
@secure()
param secret string
resource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
name: 'keyvault/good'
properties: {
value: secret
}
}
Notes#
This rule checks the following resource type properties:
Microsoft.KeyVault/vaults/secrets:properties.value
Microsoft.Compute/virtualMachineScaleSets:properties.virtualMachineProfile.osProfile.adminPassword
Links#
- Infrastructure provisioning considerations in Azure
- Use Azure Key Vault to pass secure parameter value during Bicep deployment
- Integrate Azure Key Vault in your ARM template deployment