Control: EC2 instances should not contain secrets in user data
Description
To help protect sensitive information, ensure that Amazon Elastic Compute Cloud (Amazon EC2) instances do not contain secrets in user data.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.ec2_instance_user_data_no_secretsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.ec2_instance_user_data_no_secrets --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std ->> 'user_data') is null then 'skip' when (attributes_std ->> 'user_data') like any (array ['%pass%', '%secret%','%token%','%key%']) or (attributes_std ->> 'user_data') ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm' else 'ok' end as status, split_part(address, '.', 2) || case when (attributes_std ->> 'user_data') is null then ' no user data defined.' when (attributes_std ->> 'user_data') like any (array ['%pass%', '%secret%','%token%','%key%']) or (attributes_std ->> 'user_data') ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then ' potential secret found in user data.' else ' no secrets found in user data.' end as reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_instance';