Control: EC2 instances user data should not have secrets
Description
User data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code which is exposed to any entity which has the most basic access to EC2, even read-only configurations. It is recommended to not use secrets in user data.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ec2_instance_user_data_no_secretsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ec2_instance_user_data_no_secrets --shareSQL
This control uses a named query:
select arn as resource, case when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm' else 'ok' end as status, case when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then instance_id ||' potential secret found in user data.' else instance_id || ' no secrets found in user data.' end as reason , region, account_idfrom aws_ec2_instance;