aws-ec2-no-secrets-in-launch-template-user-data.md

Pattern: Use of sensitive data in AWS EC2 launch template

Issue: -

Description

EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.

Resolution: Remove sensitive data from the EC2 instance user-data generated by launch templates.

Examples

The following example will fail the aws-ec2-no-secrets-in-launch-template-user-data check.

 resource "aws_launch_template" "bad_example" {
 
	 image_id      = "ami-12345667"
	 instance_type = "t2.small"
 
	 user_data = <<EOF
 export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 export AWS_DEFAULT_REGION=us-west-2 
EOF
}
 

The following example will pass the aws-ec2-no-secrets-in-launch-template-user-data check.

 resource "aws_iam_instance_profile" "good_example" {
		 // ...
 }
 
 resource "aws_launch_template" "good_example" {
	 image_id      = "ami-12345667"
	 instance_type = "t2.small"
 
	 iam_instance_profile {
		 name = aws_iam_instance_profile.good_profile.arn
	 }
	 user_data = <<EOF
	 export GREETING=hello
EOF
}
 

Further reading

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#user_data
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html