Azure Resource Manager templates define parameters as a way to reuse templates in different environments. Secure parameters (secure strings and
secure objects) should not be assigned a default value.
Why is this an issue?
Parameters with the type securestring and secureObject are designed to pass sensitive data to the resources being
deployed. Unlike other data types, they cannot be accessed after the deployment is completed. They can neither be logged nor used as an output.
Secure parameters can be assigned a default value which will be used if the parameter is not supplied. This default value is not protected and is
stored in cleartext in the deployment history.
What is the potential impact?
If the default value contains a secret, it will be disclosed to all accounts that have read access to the deployment history.
How to fix it in ARM templates
Code examples
Noncompliant code example
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secretValue": {
"type": "securestring",
"defaultValue": "S3CR3T"
}
}
}
Compliant solution
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secretValue": {
"type": "securestring"
}
}
}
How to fix it in Bicep
Code examples
Noncompliant code example
@secure()
param secureStringWithDefaultValue string = 'S3CR3T' // Noncompliant
Compliant solution
@secure()
param secureStringWithDefaultValue string
Resources
Documentation
Standards
- MITRE, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
- MITRE, CWE-532 - Insertion of Sensitive Information into Log File
