Ensure all data stored in the launch configuration EBS is securely encrypted
Default Severity: high
Explanation
When creating Launch Configurations, user data can be used for the initial configuration of the instance. User data must not contain any sensitive data.
Possible Impact
Sensitive credentials in user data can be leaked
Suggested Resolution
Don't use sensitive data in user data
Insecure Example
The following example will fail the aws-ec2-no-sensitive-info check.
resource "aws_launch_configuration" "as_conf" {
name = "web_config"
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
user_data = <<EOF
export DATABASE_PASSWORD=\"SomeSortOfPassword\"
EOF
}
export DATABASE_PASSWORD=\"SomeSortOfPassword\"
EOF
}
Secure Example
The following example will pass the aws-ec2-no-sensitive-info check.
resource "aws_launch_configuration" "as_conf" {
name = "web_config"
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
user_data = <<EOF
export GREETING="Hello there"
EOF
}
export GREETING="Hello there"
EOF
}