EC2 user data exposes secrets
Description
User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted. Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.
Code Example
go
resource "aws_instance" "web" {
...
instance_type = "t3.micro"
- user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}Remediation
- CLI Command*
To see the secret, run the following CLI command: [,bash]
aws ec2 describe-instance-attribute --attribute userData --region & lt;REGION> --instance-id & lt;INSTANCE_ID> --query UserData.Value --output text > encodeddata; base64 --decode encodeddata
=== Fix - Buildtime
Terraform
- Resource: aws_instance
- Argument: user_data In this case, the analysis has found a likely AWS secret being used in your user_data.
Remove these secrets, substitute with dynamic (i.e. Obtain from Vault) or use instance profiles.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0100 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_46 |