No Secrets In Launch Template User Data | Vulnerability Database

User data for EC2 instances must not contain sensitive AWS keys

EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.

Impact

User data is visible through the AWS Management console

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Remove sensitive data from the EC2 instance user-data generated by launch templates

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


Resources:
  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: MyIamInstanceProfile
      Path: "/"
      Roles:
      - MyAdminRole
  GoodExample:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: MyLaunchTemplate
      LaunchTemplateData:
        IamInstanceProfile:
          Arn: !GetAtt
            - MyIamInstanceProfile
            - Arn
        DisableApiTermination: true
        ImageId: ami-04d5cc9b88example
        UserData: export SSM_PATH=/database/creds
        InstanceType: t2.micro
        KeyName: MyKeyPair
        MetadataOptions:
          - HttpTokens: required
        SecurityGroupIds:
          - sg-083cd3bfb8example

Remove sensitive data from the EC2 instance user-data generated by launch templates

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


 resource "aws_iam_instance_profile" "good_example" {
		 // ...
 }
 
 resource "aws_launch_template" "good_example" {
	 image_id      = "ami-12345667"
	 instance_type = "t2.small"
 
	 iam_instance_profile {
		 name = aws_iam_instance_profile.good_profile.arn
	 }
	 user_data = <<EOF
	 export GREETING=hello
EOF
}
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#user_data