Azure Resource Manager templates define parameters as a way to reuse templates in different environments. Secure parameters (secure strings and secure objects) should not be assigned a default value.

Why is this an issue?

Parameters with the type securestring and secureObject are designed to pass sensitive data to the resources being deployed. Unlike other data types, they cannot be accessed after the deployment is completed. They can neither be logged nor used as an output.

Secure parameters can be assigned a default value which will be used if the parameter is not supplied. This default value is not protected and is stored in cleartext in the deployment history.

What is the potential impact?

If the default value contains a secret, it will be disclosed to all accounts that have read access to the deployment history.

How to fix it in ARM templates

Code examples

Noncompliant code example

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "secretValue": {
      "type": "securestring",
      "defaultValue": "S3CR3T"
    }
  }
}

Compliant solution

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "secretValue": {
      "type": "securestring"
    }
  }
}

How to fix it in Bicep

Code examples

Noncompliant code example

@secure()
param secureStringWithDefaultValue string = 'S3CR3T' // Noncompliant

Compliant solution

@secure()
param secureStringWithDefaultValue string

Resources

Documentation

• Data types in ARM templates
• ARM template best practices - Security recommendations for parameters

Standards

• MITRE, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
• MITRE, CWE-532 - Insertion of Sensitive Information into Log File