User data shell script is not encoded
ID |
aws_ec2_shell_script_encoded |
Severity |
low |
Vendor |
AWS |
Resource |
Encryption |
Tags |
reachable |
Description
User data shell script is not encoded. The user data must be base64-encoded. The Amazon EC2 console can perform the base64-encoding for you or accept base64-encoded input.
User data is limited to 16 KB, in raw form, before it is base64-encoded. The size of a string of length n after base64-encoding is ceil(n/3)*4.
User data must be base64-decoded when you retrieve it. If you retrieve the data using instance metadata or the console, it’s decoded for you automatically.
User data is treated as opaque data: what you give is what you get back. It is up to the instance to be able to interpret it.
To fix it you must encode the user_data or the file content configured in user_data_path.
Learn more about this topic at AWS EC2 user data.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: create a launch configuration
community.aws.autoscaling_launch_config:
name: special
image_id: ami-XXX
key_name: default
user_data: "Not encrypted"
security_groups: ['group', 'group2' ]
instance_type: t1.micro
volumes:
- device_name: /dev/sda1
volume_size: 100
volume_type: io1
iops: 3000
delete_on_termination: true
encrypted: true
- device_name: /dev/sdb
ephemeral: ephemeral0Mitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: create a launch configuration
community.aws.autoscaling_launch_config:
name: special
image_id: ami-XXX
key_name: default
user_data: "abd4568=" #Base64-encoded
security_groups: ['group', 'group2' ]
instance_type: t1.micro
volumes:
- device_name: /dev/sda1
volume_size: 100
volume_type: io1
iops: 3000
delete_on_termination: true
encrypted: true
- device_name: /dev/sdb
ephemeral: ephemeral0