Skip to content

Ensure all data stored in the launch configuration EBS is securely encrypted

Default Severity: high

Explanation

When creating Launch Configurations, user data can be used for the initial configuration of the instance. User data must not contain any sensitive data.

Possible Impact

Sensitive credentials in user data can be leaked

Suggested Resolution

Don't use sensitive data in user data

Insecure Example

The following example will fail the aws-ec2-no-sensitive-info check.

 resource "aws_launch_configuration" "as_conf" {
   name          = "web_config"
   image_id      = data.aws_ami.ubuntu.id
   instance_type = "t2.micro"
   user_data     = <<EOF
 export DATABASE_PASSWORD=\"SomeSortOfPassword\"
 EOF
 }
 export DATABASE_PASSWORD=\"SomeSortOfPassword\"
 EOF
 }

Secure Example

The following example will pass the aws-ec2-no-sensitive-info check.

 resource "aws_launch_configuration" "as_conf" {
   name          = "web_config"
   image_id      = data.aws_ami.ubuntu.id
   instance_type = "t2.micro"
   user_data     = <<EOF
 export GREETING="Hello there"
 EOF
 }
 export GREETING="Hello there"
 EOF
 }