Exposed secrets in EC2 user data High

Secrets are being revealed by EC2 user data. Make sure that secrets are not revealed by EC2 user data.

Detector ID
terraform/exposed-ec2-user-data-secret-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_instance" "chroma_instance" {
2  ami             = data.aws_ami.ubuntu.id
3  instance_type   = var.instance_type
4  key_name        = "chroma-keypair"
5  security_groups = [aws_security_group.chroma_sg.name]
6  metadata_options {
7    http_endpoint = "enabled"
8    http_tokens   = "required"
9  }
10  monitoring = true
11  ebs_optimized = true
12  ebs_block_device {
13    volume_type = "gp2"
14    volume_size = var.ebs_volume_size
15    device_name = "/dev/xvdb"
16    encrypted   = true
17  }
18
19  root_block_device {
20    volume_type = "gp2"
21    volume_size = var.root_volume_size
22    encrypted   = true
23  }
24  iam_instance_profile = "test"
25  # Noncompliant: Hard-coded secrets exist in EC2 user data.
26  user_data = <<EOF
27  #! /bin/bash
28  sudo apt-get update
29  sudo apt-get install -y apache2
30  sudo systemctl start apache2
31  sudo systemctl enable apache2
32  export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
33  export AWS_SECRET_ACCESS_KEY=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
34  export AWS_DEFAULT_REGION=us-west-2
35  echo "<h1>Deployed via Terraform</h1>" | sudo tee /var/www/html/index.html
36  EOF
37
38  tags = local.tags
39}

Compliant example

1resource "aws_instance" "chroma_instance" {
2  ami             = data.aws_ami.ubuntu.id
3  instance_type   = var.instance_type
4  key_name        = "chroma-keypair"
5  security_groups = [aws_security_group.chroma_sg.name]
6  metadata_options {
7    http_endpoint = "enabled"
8    http_tokens   = "required"
9  }
10  monitoring = true
11  ebs_optimized = true
12  ebs_block_device {
13    volume_type = "gp2"
14    volume_size = var.ebs_volume_size
15    device_name = "/dev/xvdb"
16    encrypted   = true
17  }
18
19  root_block_device {
20    volume_type = "gp2"
21    volume_size = var.root_volume_size
22    encrypted   = true
23  }
24  iam_instance_profile = "test"
25  # Compliant: Hard-coded secrets don't exist in EC2 user data.
26  tags = local.tags
27}