User data contains a base64 encoded private key

ID

aws_ec2_user_encoded_pk

Severity

critical

Vendor

AWS

Resource

IAM

Tags

reachable

Description

User data contains a base64 encoded private key. If so, anyone can decode the private key easily. You must use environment variables or secrets for the private key.

By default, the aws_secret_key property is found in AWS_SECRET_ACCESS_KEY, AWS_SECRET_KEY, or EC2_SECRET_KEY environment variables.

Learn more about this topic at AWS EC2 module v2.9 or AWS EC2 module.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a launch configuration with an encrypted volume
      community.aws.autoscaling_launch_config:
        name: special
        image_id: ami-XXX
        key_name: default
        secret_key: 1234567890== #Base64 string
        security_groups: [ 'group', 'group2' ]
        instance_type: t1.micro
        volumes:
          - device_name: /dev/sda1
            volume_size: 100
            volume_type: io1
            iops: 3000
            delete_on_termination: true
            encrypted: true
          - device_name: /dev/sdb
            ephemeral: ephemeral0

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a launch configuration with an encrypted volume
      community.aws.autoscaling_launch_config:
        name: special
        image_id: ami-XXX
        key_name: default
        security_groups: [ 'group', 'group2' ]
        instance_type: t1.micro
        volumes:
          - device_name: /dev/sda1
            volume_size: 100
            volume_type: io1
            iops: 3000
            delete_on_termination: true
            encrypted: true
          - device_name: /dev/sdb
            ephemeral: ephemeral0