Ensure EC2 user data does not expose secrets

Error: EC2 user data exposes secrets

Bridgecrew Policy ID: BC_AWS_SECRETS_1
Checkov Check ID: CKV_AWS_46
Severity: HIGH

EC2 user data exposes secrets


User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted.

Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

Fix - Runtime

CLI Command

To see the secret, run the following CLI command:

aws ec2 describe-instance-attribute 
--attribute userData 
--region <REGION> 
--instance-id <INSTANCE_ID> 
--query UserData.Value 
--output text > encodeddata; base64 
--decode encodeddata

Fix - Buildtime


Resource: aws_instance
Argument: user_data
In this case, the analysis has found a likely AWS secret being used in your user_data. Remove these secrets, substitute with dynamic (i.e. Obtain from Vault) or use instance profiles.

resource "aws_instance" "web" {
    instance_type = "t3.micro"
-    user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"


Resource: AWS::EC2::Instance
Argument: Properties.UserData

    Type: AWS::EC2::Instance
-     UserData: "..."