Secrets are exposed in Azure VM customData
Description
The Azure VM metadata field customData allows custom code to run right after the VM is launched. It contains code exposed to any entity which has the most basic access to the VM, including read-only of configurations. The code is not encrypted.
We recommend you use Azure Key Vault to access secrets from the VM. Removing secrets from unencrypted places which can be easily accessed reduces the risk of passwords, private keys and more from being exposed to third parties.
Fix - Runtime
A Runtime Remediation is not applicable in this case because custom data cannot be modified on an existing VM. A new VM must be created with different custom data.
Fix - Buildtime
Terraform
Remove the following attribute from the Terraform resource.
resource "azurerm_virtual_machine" "main" {
name = "${var.prefix}-vm"
...
os_profile {
...
- custom_data = "MY_SECRET_VALUE"
}
...
}