User data for EC2 instances must not contain sensitive AWS keys
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | ec2 |
| Provider | AWS |
| Vulnerability Type | misconfiguration |
Description#
Sensitive AWS access keys or credentials are included in EC2 instance user data, making them accessible in plain text to anyone with permission to view the instance’s user data. This practice exposes critical secrets rather than using secure mechanisms like IAM Instance Profiles.
Impact#
If exploited, attackers or unauthorized users with access to the EC2 instance metadata or AWS console could retrieve AWS credentials and gain unauthorized access to AWS resources, potentially leading to data breaches, resource compromise, or full account takeover.
Resolution#
Remove sensitive data from the EC2 instance user-data