CloudFormation stack outputs do not contain secrets
cloudformation_stack_outputs_find_secrets
CloudFormation stack Outputs are analyzed for hardcoded secrets-passwords, API keys, tokens-using pattern-based detection across output values. A finding indicates potential secret strings present within Outputs of the template or stack.
Risk
Secrets in Outputs are readable to anyone with stack metadata access, enabling credential theft, unauthorized API calls, and lateral movement. Exposure via consoles, exports, or CI logs undermines confidentiality and can lead to privilege escalation and data exfiltration.
prowler aws --checks cloudformation_stack_outputs_find_secrets
Recommendation
Remove secrets from Outputs. Store credentials in Secrets Manager or Parameter Store and reference them via dynamic references; set NoEcho for sensitive parameters. Apply least privilege to view stack metadata, avoid exporting sensitive values, and add automated IaC secret scanning for defense in depth.
Remediation
aws cloudformation update-stack --stack-name <STACK_NAME> --template-body file://<TEMPLATE_WITHOUT_SENSITIVE_OUTPUTS>.yaml
- In the AWS Console, go to CloudFormation > Stacks and select the stack
- Click Update > Replace current template
- Upload or paste the template with any secret-bearing Outputs removed (do not output passwords/tokens/keys)
- Click Next through the wizard and choose Submit to apply the change set
- Verify the stack Outputs tab no longer shows sensitive values
Source Code
Resource Type
AwsCloudFormationStack
References