Sensitive Parameters Must Have NoEcho

ID: rule:aliyun:parameter-sensitive-noecho-check
Severity: high

Description

Template parameters that contain sensitive information (passwords, API keys, secrets) must be protected by either setting NoEcho to true or using valid AssociationProperty values to prevent them from being displayed in plain text.

Reason for Violation

Sensitive parameters without proper protection (NoEcho or valid AssociationProperty) may be exposed in logs, console output, or API responses, leading to security risks.

Recommendation

For all sensitive parameters (those containing password, apikey, secret, etc.), either set NoEcho to true or use valid AssociationProperty values such as ALIYUN::ECS::Instance::Password, ALIYUN::Bailian::ApiKey::ApiKeyInfo, or ALIYUN::DashScope::ApiKey.

Resource Types

No specific resource types

Description​

Reason for Violation​

Recommendation​

Resource Types​

Description

Reason for Violation

Recommendation

Resource Types