Description:

EC2 User data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. 

You can pass Two types of user data to Amazon EC2:

  • shell scripts and

  • cloud-init

You can also pass this data into the launch wizard as plain text as a file ( this is useful for launching instances using the command line tools).

EC2 user data is used to:

  • Installing updates

  • installing software

  • downloading common files from the internet

  • Anything you can think of


Rationale:

 As per the above description of User Data, it is a field with metadata of an EC2 instance, After the instance is launched it run the custom code. user data is not protected by authentication or cryptographic methods, Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as a password or long-lived encryption keys, as user data.


Impact:

Make sure data sent there is no personal information or sensitive information sent to or from the EC2 instance.

If we ensure no secrets contain in user data is helped us to protect our software from attackers or hackers. 


Default Value:

By default, user data scripts and cloud-init directives run only the boot cycle when you first launch an instance.


Audit:

Step 1: Log in to AWS Management Console and go to EC2 dashboard at https://console.aws.amazon.com/ec2

Step 2: Click on Instances in the left navigation pane

Step 3: Select the instance and choose Instance State, Stop the instance. If it does not stop

Step 4: After few minutes instance stopped, Click on the Action menu list and go to Instance settings, and click on Edit user data.

Step 5: Audit your instance user data and check it contain any secret or not


Via CLI:

To see the secret in user data use the command describe-instance-attribute in the CLI command

aws ec2 describe-instance-attribute \
  --attribute userData \
  --region < Region_where_instance> \
  --instance-id < give the instance_id> \
  --query UserData.Value \
  --output text > encodeddata; base64 \
  --decode encodedata 


After the execute above command in CLI you get the below output you can see the in user_data contain some secret values remove these types of secrets from your user data of EC2 instance.

resource "aws_instance" "web" {
    ami           = data.aws_ami.ubuntu.id
    instance_type = "t3.micro"

-    user_data = "access_key= ABCDEF1234XYZGHIJXLM and secret_key=xieiWideiQQiejieiAA+wiru283i8allie9828e"
    tags = {
     Name = "Welcomeicompaas"
    }
}


Remediation:

Pre-Requisite:

If we assume that your instance has a public DNS name that is reachable from the internet.

Configure the security group to allow SSH (port 22), HTTP (port 80) and HTTPS (port 443) 

similarly, what purpose you create your instance you allow its ports in the security group

Take a backup or snapshot of your instance before Editing your instance.


Implementation Steps:

To modify instance user data after auditing when you get any secret entity in this

Step 1: Log in to AWS Management Console and go to EC2 dashboard at https://console.aws.amazon.com/ec2

Step 2: Click on Instances in the left navigation pane

Step 3: Select the instance and choose Instance State, Stop the instance. If it does not stop

Step 4: After few minutes instance stopped, Click on the Action menu list and go to Instance settings, and click on Edit user data.


Step 5: If user data contain any secret modify its text and save it


 Via CLI

First, create a text file that contains necessary information without any secret entity 

e.g. below the line is in shell script file name: “UserData.txt”

#!/bin/bash
yum update -y
service httpd start
chkconfig httpd on


Stop your instance

for Linux computer use the base64 command to encode the user data

base64 my_script.txt >my_script_base64.txt


On a Windows computer, use the certutil command to encode the user data. Before you can use this file with user data. Before you can use this file with the AWS CLI, you must remove the first (Begin Certificate) and last (End Certificate) lines.

certutil -encode my_script.txt my_script_base64.txt
notepad my_script_base64.txt


Use the below line to modify user data of an instance using the --attribute.

aws ec2 modify-instance-attribute \
--instance-id <instance id> \
--attribute userData --value file://UserData.txt


Backout Plan:

After modification of User Data if you face any problem accessing your instance. In prerequisite we already have a snapshot created you can restore from that.


Reference:

  1. modify-instance-attribute — AWS CLI 1.19.108 Command Reference 

  2. Run commands on your Linux instance at launch - Amazon Elastic Compute Cloud 

  3. Work with instance user data - Amazon Elastic Compute Cloud