Ensure no hard-coded secrets exist in Parameter Store values
Description
This policy checks for hard-coded secrets in AWS Systems Manager (SSM) Parameter Store values. Hard-coded secrets can be a significant security risk if they are exposed, as they can be used to gain unauthorized access to sensitive resources. It is essential to ensure that secrets are stored securely and not embedded directly in configuration files or code. The check looks for secrets in parameter names containing 'secret' or 'api_key' and values that do not appear to be dynamic or references to other resources.
Code Example
yaml
Resources:
MyParameter:
Type: 'AWS::SSM::Parameter'
Properties:
Name: 'MySecureParameter'
Value: ${MySecureParameterValue}
Type: SecureStringRemediation
Ensure that secrets are stored securely using AWS Secrets Manager or another secure method, and reference them dynamically in your CloudFormation templates.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0431 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | AWS::SSM::Parameter |
| Checkov ID | CKV_AWS_384 |