EC2 metadata has hardcoded secrets Affecting EC2 service in AWS

Snyk CCSS

Keys and Secrets / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls

Snyk ID SNYK-CC-00226
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

If secret keys have been hardcoded in a user_data script, anyone with access to version-control software or a launched instance will be able to obtain the secrets and gain unauthorized access to resources.

How to fix?

Remove secret value from the user_data attribute.

Example Configuration

resource "aws_instance" "allowed_3" {
  ami           = "ami-005e54dee72ccabcd"
  instance_type = "t2.micro"
  user_data     = file("script.sh")
}

Terraform

Resource: aws_instance

References

Instance metadata and user data