aws-autoscaling-no-secrets-in-user-data.md

Pattern: Use of sensitive data in aws_launch_template

Issue: -

Description

EC2 instance data is used to pass start up information into the EC2 instance. This user-data must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.

Resolution: Remove sensitive data from the EC2 instance user-data generated by launch templates.

Examples

The following example will fail the aws-autoscaling-no-secrets-in-user-data check.

 resource "aws_launch_template" "bad_example" {
 
	 image_id      = "ami-12345667"
	 instance_type = "t2.small"
 
	 user_data = <<EOF
 export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 export AWS_DEFAULT_REGION=us-west-2 
EOF
}

The following example will pass the aws-autoscaling-no-secrets-in-user-data check.

 resource "aws_iam_instance_profile" "good_example" {
		 // ...
 }
 
 resource "aws_launch_template" "good_example" {
	 image_id      = "ami-12345667"
	 instance_type = "t2.small"
 
	 iam_instance_profile {
		 name = aws_iam_instance_profile.good_profile.arn
	 }
	 user_data = <<EOF
	 export GREETING=hello
EOF
}

Further reading

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#user_data
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html