Find secrets in CloudFormation outputs
critical
FAIL
ap-south-1
cloudformation
452302344803
Resource ID: StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa
Resource ARN: arn:aws:cloudformation:ap-south-1:452302344803:stack/StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa/7b3c9ea0-6383-11ee-abc7-0a353e80a4d6
Check ID: cloudformation_stack_outputs_find_secrets
Type: Not applicable
Scan Time: 2025-07-06 @ 21:07:51 UTC
Prowler Finding ID: 80630ea4-8106-44e7-9176-fbe3ee209777
Details:
Potential secret found in Stack StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa Outputs.
Risk:
View Source
Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.
Recommendation:
View Source
Implement automated detective control to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets.
Find secrets in CloudFormation outputs
critical
FAIL
ap-south-1
cloudformation
452302344803
Resource ID: StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa
Resource ARN: arn:aws:cloudformation:ap-south-1:452302344803:stack/StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa/7b3c9ea0-6383-11ee-abc7-0a353e80a4d6
Check ID: cloudformation_stack_outputs_find_secrets
Type: Not applicable
Scan Time: 2025-07-06 @ 21:07:51 UTC
Prowler Finding ID: 80630ea4-8106-44e7-9176-fbe3ee209777
Details:
Potential secret found in Stack StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-0769c7a1-ca6a-4400-96e9-d3fed7e56afa Outputs.
Risk:
View Source
Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.
Recommendation:
View Source
Implement automated detective control to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets.