User data for EC2 instances must not contain sensitive AWS keys
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | ec2 |
| Provider | AWS |
| Vulnerability Type | misconfiguration |
Description#
Storing sensitive AWS access keys or credentials in EC2 user data exposes them in plain text, as user data is accessible via the AWS Management Console and API. This practice bypasses secure credential management and increases the risk of unauthorized access.
Impact#
If exploited, attackers can obtain AWS credentials from user data, allowing them to assume the privileges of the compromised keys. This can lead to unauthorized access, data breaches, resource manipulation, or full account compromise, severely impacting the security of AWS resources.
Resolution#
Remove sensitive data from the EC2 instance user-data generated by launch templates