Skip to content

Security Review: Configuration Override Risks in SOPS and Parameter Management #1204

New issue
New issue
Open
Open
Security Review: Configuration Override Risks in SOPS and Parameter Management#1204
@youming1970

Description

@youming1970
youming1970
opened on Sep 13, 2025

Summary

During a security analysis of CloudPosse's AWS Components library, I identified several configuration patterns that may introduce security risks in certain deployment scenarios. These primarily relate to forced override behaviors and parameter management practices.

Issues Identified

1. Forced Kubernetes Manifest Conflicts

Location: mixins/sops.mixin.tf (line 45)

Issue:

resource "kubernetes_manifest" "sops_secret" {
  field_manager {
    force_conflicts = true  # Forces override of conflicting resources
  }
}

Security Impact:

  • May silently overwrite existing security configurations
  • Could mask configuration drift or unauthorized changes
  • Reduces visibility into conflicting resource states

2. SSM Parameter Forced Overwrite

Location: modules/datadog-configuration/ssm.tf (lines 37, 44)

Issue:

parameter_write = [
  {
    name      = local.datadog_api_key_name
    value     = local.datadog_api_key
    type      = "SecureString"
    overwrite = "true"  # Always overwrites existing parameters
  }
]

Security Impact:

  • Potential for accidentally overwriting critical configuration
  • No confirmation or validation before replacing existing secrets
  • May bypass approval workflows for sensitive parameter changes

3. Wide SSM Parameter Permissions

Location: modules/ecs-service/github-actions-iam-policy.tf (lines 67-70)

Pattern: ARN patterns grant broad SSM parameter access across services and names.

Observation: While functionally correct, this grants broad SSM access patterns that may be worth reviewing.

Security Recommendations

1. Conditional Conflict Handling

field_manager {
  force_conflicts = var.allow_manifest_conflicts
  # Default to false, require explicit enablement
}

2. Protected Parameter Overwrite

parameter_write = [
  {
    overwrite = var.allow_parameter_overwrite ? "true" : "false"
    # Add validation or confirmation requirements
  }
]

3. Enhanced Logging

Consider adding output warnings when forced operations occur to improve visibility.

Impact Assessment

These configurations work correctly in controlled environments but may introduce risks in:

  • Multi-team environments where parameter ownership is shared
  • CI/CD pipelines with insufficient approval gates
  • Scenarios where configuration changes require audit trails

Context

CloudPosse demonstrates excellent infrastructure-as-code practices overall. These observations are intended to enhance the already strong security posture by providing additional safeguards for edge cases and multi-tenant scenarios.

Would the team be interested in discussing approaches to add optional safety mechanisms while preserving the current functional behavior?

Configuration Security Review Team
[email protected]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions