AWS062 - User data for EC2 instances must not contain sensitive AWS keys

Written by tfsec

Explanation

EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.

Insecure Example

The following example will fail the AWS062 check.

resource "aws_instance" "bad_example" {

  ami           = "ami-12345667"
  instance_type = "t2.small"

  user_data = <<EOF
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2 
EOF
}

Secure Example

The following example will pass the AWS062 check.

resource "aws_iam_instance_profile" "good_example" {
    // ...
}

resource "aws_instance" "good_example" {
  ami           = "ami-12345667"
  instance_type = "t2.small"

  iam_instance_profile = aws_iam_instance_profile.good_profile.arn

  user_data = <<EOF
  export GREETING=hello
EOF
}

Related Links

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#user_data

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html

---