Control: 2.13 Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data
Description
User Data can be specified when launching an ec2 instance. Examples include specifying parameters for configuring the instance or including a simple script.
Remediation
From the Console:
- Login to AWS Console using https://console.aws.amazon.com.
- Click
All servicesand clickEC2under Compute. - Click on
Instances. - If the instance is currently running, stop the instance first.
Note: ensure there is no negative impact from stopping the instance prior to stopping the instance.
- For each instance, click
Actions -> Instance Settings -> Edituser data - For each instance, edit the user data to ensure there are no secrets or sensitive data stored. A Secret Management solution such as AWS Secrets Manager can be used here as a more secure mechanism of storing necessary sensitive data.
- Repeat this remediation for all the other AWS regions.
Note: If the ec2 instances are created via automation or infrastructure-as-code, edit the user data in those pipelines and code.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_13Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_13 --shareSQL
This control uses a named query:
select arn as resource, case when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm' else 'ok' end as status, case when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then instance_id ||' potential secret found in user data.' else instance_id || ' no secrets found in user data.' end as reason , region, account_idfrom aws_ec2_instance;