Skip to content

EC2 user data exposes secrets

Description

User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted.

Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

Fix - Runtime

CLI Command

To see the secret, run the following CLI command:

aws ec2 describe-instance-attribute 
--attribute userData 
--region <REGION> 
--instance-id <INSTANCE_ID> 
--query UserData.Value 
--output text > encodeddata; base64 
--decode encodeddata

Fix - Buildtime

Terraform

Resource: aws_instance
Argument: user_data
In this case, the analysis has found a likely AWS secret being used in your user_data. Remove these secrets, substitute with dynamic (i.e. Obtain from Vault) or use instance profiles.

```go aws_instance.web.tf resource "aws_instance" "web" { ... instance_type = "t3.micro" - user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA" }


## CloudFormation

**Resource:** AWS::EC2::Instance  
**Argument:** Properties.UserData

```yaml
Resources:
  Instance:
    Type: AWS::EC2::Instance
    Properties:
      ...
-     UserData: "..."