How to Securely Store Database Passwords in AWS CloudFormation Templates

Securing Database Passwords in AWS CloudFormation Templates

Prev Question Next Question

Question

You are creating a cloudformation templates which takes in a database password as a parameter.

How can you ensure that the password is not visible when anybody tries to describes the stack.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

The AWS Documentation mentions.

For sensitive parameter values (such as passwords), set the NoEcho property to true.

That way, whenever anyone describes your stack, the parameter value is shown as asterisks (*****).

For more information on Cloudformation parameters, please visit the below URL:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html.

When creating a CloudFormation template, it is important to ensure that sensitive information, such as passwords, are not visible to anyone who tries to describe the stack. This is particularly important if the template is shared with other people, or if it is used in a production environment. To ensure that the password is not visible, the NoEcho property should be used for the parameter value.

The NoEcho property is a boolean value that can be set on a parameter in a CloudFormation template. When NoEcho is set to true, the parameter value is not displayed when the stack is described. This ensures that sensitive information, such as passwords, is not visible to unauthorized users.

Option A, using the password attribute for the resource, is not a valid approach because it does not ensure that the password is not visible when anyone describes the stack. The password attribute is used to set the initial password for a resource, such as a database, and is not related to CloudFormation parameter values.

Option C, using the hidden property for the parameter value, is also not a valid approach because there is no "hidden" property for CloudFormation parameters. This property is not supported by CloudFormation.

Option D, setting the hidden attribute for the CloudFormation resource, is also not a valid approach because there is no "hidden" attribute for CloudFormation resources. This attribute is not supported by CloudFormation.

Therefore, the correct answer is B, use the NoEcho property for the parameter value, to ensure that the password is not visible when anyone describes the stack.