No Secrets In User Data | Vulnerability Database

User data for EC2 instances must not contain sensitive AWS keys

EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Remove sensitive data from the EC2 instance user-data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


Resources:
  GoodExample:
    Type: AWS::EC2::Instance
    Properties:
      BlockDeviceMappings:
        - DeviceName: /dev/sdm
          Ebs:
            DeleteOnTermination: "false"
            Iops: "200"
            VolumeSize: "20"
            VolumeType: io1
        - DeviceName: /dev/sdk
      ImageId: ami-79fd7eee
      KeyName: testkey
      UserData: export SSM_PATH=/database/creds

Remove sensitive data from the EC2 instance user-data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


resource "aws_iam_instance_profile" "good_example" {
  // ...
}

resource "aws_instance" "good_example" {
  ami           = "ami-12345667"
  instance_type = "t2.small"

  iam_instance_profile = aws_iam_instance_profile.good_profile.arn

  user_data = <<EOF
	 export GREETING=hello
 EOF
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#user_data