When using nested deployments in Azure, template expressions can be evaluated within the scope of the parent template or the scope of the nested
template. If such a template expression evaluates a secure value of the parent template, it is possible to expose this value in the deployment
history.
Why is this an issue?
Parameters with the type securestring and secureObject are designed to pass sensitive data to the resources being
deployed. Secure parameters cannot be accessed after the deployment is completed: they can neither be logged nor used as an output.
When used in nested deployments, however, it is possible to embed secure parameters in such a way they can be visible afterward.
What is the potential impact?
If the nested deployment contains a secure parameter in this way, then the value of this parameter may be readable in the deployment history. This
can lead to important credentials being leaked to unauthorized accounts.
How to fix it in ARM Templates
By setting properties.expressionEvaluationOptions.scope to Inner in the parent template, template evaluations are limited
to the scope of the nested template. This makes it impossible to expose secure parameters defined in the parent template.
Code examples
Noncompliant code example
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "securestring",
"defaultValue": "[newGuid()]"
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"osProfile": {
"adminUsername": "[parameters('adminUsername')]"
}
}
}
]
}
}
}
]
}
Compliant solution
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"properties": {
"expressionEvaluationOptions": {
"scope": "Inner"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "securestring",
"defaultValue": "[newGuid()]"
}
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"osProfile": {
"adminUsername": "[parameters('adminUsername')]"
}
}
}
]
}
}
}
]
}
Resources
Documentation
Standards
- MITRE, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
- MITRE, CWE-532 - Insertion of Sensitive Information into Log File
