🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: EC2 auto scaling group launch configurations user data should not have any sensitive data

Description

Ensure that sensitive information is not included in the user data of the launch configuration. It is recommended to utilize Secrets Manager as an alternative for securely managing sensitive data.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.autoscaling_ec2_launch_configuration_no_sensitive_data

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.autoscaling_ec2_launch_configuration_no_sensitive_data --share

SQL

This control uses a named query:

select
  launch_configuration_arn as resource,
  case
    when
      user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ])
      or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm'
    else 'ok'
  end as status,
  case
    when
      user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ])
      or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then title || ' has potential secret patterns in user data.'
    else title || ' does not contain secret patterns in user data.'
  end as reason
  , region, account_id
from
  aws_ec2_launch_configuration;

Tags

category = Compliance
plugin = aws
service = AWS/AutoScaling