New Open SWE Request #11
Description
Find secrets in CloudFormation outputs
critical
FAIL
ap-south-1
cloudformation
452302344803
Resource ID: StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa
Resource ARN: arn:aws:cloudformation:ap-south-1:452302344803:stack/StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa/7b3c9ea0-6383-11ee-abc7-0a353e80a4d6
Check ID: cloudformation_stack_outputs_find_secrets
Type: Not applicable
Scan Time: 2025-07-06 @ 21:07:51 UTC
Prowler Finding ID: 80630ea4-8106-44e7-9176-fbe3ee209777
Details:
Potential secret found in Stack StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa Outputs.
Risk:
View Source
Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.
Recommendation:
View Source
Implement automated detective control to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets.