CRITICAL
Source
Trivy
ID
AVD-AWS-0029

User data for EC2 instances must not contain sensitive AWS keys

EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.

Impact

User data is visible through the AWS Management console

Follow the appropriate remediation steps below to resolve the issue.

Remove sensitive data from the EC2 instance user-data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      UserData: export SSM_PATH=/database/creds
      BlockDeviceMappings:
        - DeviceName: "/dev/sdm"
          Ebs:
            VolumeType: "io1"
            Iops: "200"
            DeleteOnTermination: "false"
            VolumeSize: "20"
        - DeviceName: "/dev/sdk"

Remove sensitive data from the EC2 instance user-data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
resource "aws_iam_instance_profile" "good_example" {
  // ...
}

resource "aws_instance" "good_example" {
  ami           = "ami-12345667"
  instance_type = "t2.small"
  
  iam_instance_profile = aws_iam_instance_profile.good_profile.arn
  
  user_data = <<EOF
  export GREETING=hello
  EOF
}