Suppose I have the following secret in a Cloud Formation (or SAM) template which I deploy to my AWS IAM account as part of a stack (with of course the sensitive value of the SecretString dynamically assigned by the script that runs the cloud formation deployment):
Resources:
MySecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: MySecret
Description: Embarssing fact I want to keep secret
SecretString: "I_think_Twighlight_Sparkle_is_cool"
When I examine the stack page on the aws console I notice the "template" tab displays the whole template including this secret in plain text.
This seems very undesirable to me, and I am wondering if there is someway of mitigating it that I am missing. While only people with access to the IAM account can go to the aws console, it seems undesirable to have secrets pop up in plain text unless one is specifically requesting to see them.
Anybody know of a good way to mitigate this?
From your explanation I assume you only want to hide the plaintext value when viewing from console. The closest you can get using your method would be using NoEcho in parameters.
An example of what you could do is move the string you want to mask into a parameter then set the parameter property NoEcho to True, then you only need to reference that parameter value in your resource.
However, this won't solve your issue of the value being visible inside the template, as the docs point out:
"we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation"
What this is saying is that using your current architecture you are unable to hide the value within the template. Instead you would need to reference the value outside of the template or create an elaborate custom resource which creates your secret value. Other than that, as you pointed out, can be restricted via IAM permissions.