Ensure secrets are not exposed in Azure VM customData

Error: Secrets are exposed in Azure VM customData

Bridgecrew Policy ID: BC_AZR_SECRETS_2
Checkov Check ID: CKV_AZURE_45
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Secrets are exposed in Azure VM customData

Description

The Azure VM metadata field customData allows custom code to run right after the VM is launched. It contains code exposed to any entity which has the most basic access to the VM, including read-only of configurations. The code is not encrypted.

We recommend you use Azure Key Vault to access secrets from the VM. Removing secrets from unencrypted places which can be easily accessed reduces the risk of passwords, private keys and more from being exposed to third parties.

Fix - Runtime

A Runtime Remediation is not applicable in this case because custom data cannot be modified on an existing VM. A new VM must be created with different custom data.

Fix - Buildtime

Terraform

Remove the following attribute from the Terraform resource.

resource "azurerm_virtual_machine" "main" {
  name                  = "${var.prefix}-vm"
  ...
  os_profile {
    ...
-   custom_data = "MY_SECRET_VALUE"
  }
  ...
}