Skip to content

CloudFormation outputs expose secrets

Description

CloudFormation outputs contain the results of the template that was created. These outputs may contain secrets, for example, user names, passwords, and tokens. The outputs cannot be encrypted, resulting in any entity with basic read-metadata-only, and access to CloudFormation outputs, having access to these secrets.

We recommend you remove secrets from unencrypted places, especially if they can be easily accessed, to reduce the risk of exposing data to third parties.

Fix - Runtime

CLI Command

To see the secret, run the following CLI command:

aws cloudformation --region <REGION> describe-stacks --stack-name <STACK_NAME>