v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2.13 Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data

Description

User Data can be specified when launching an ec2 instance. Examples include specifying parameters for configuring the instance or including a simple script.

Remediation

From the Console:

  1. Login to AWS Console using https://console.aws.amazon.com.
  2. Click All services and click EC2 under Compute.
  3. Click on Instances.
  4. If the instance is currently running, stop the instance first.

Note: ensure there is no negative impact from stopping the instance prior to stopping the instance.

  1. For each instance, click Actions -> Instance Settings -> Edit user data
  2. For each instance, edit the user data to ensure there are no secrets or sensitive data stored. A Secret Management solution such as AWS Secrets Manager can be used here as a more secure mechanism of storing necessary sensitive data.
  3. Repeat this remediation for all the other AWS regions.

Note: If the ec2 instances are created via automation or infrastructure-as-code, edit the user data in those pipelines and code.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_2_13

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_13 --share

SQL

This control uses a named query:

ec2_instance_user_data_no_secrets

Tags

category = Compliance
cis = true
cis_item_id = 2.13
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/EC2