Profile Applicability:

  • Level 1

Description:

An EC2 Launch Template is a resource in AWS that defines configurations to launch EC2 instances, including instance type, AMI, key pair, security groups, and more. Secrets such as AWS access keys, API keys, passwords, or any other sensitive data should never be hardcoded into EC2 launch templates. This SOP ensures that any secrets stored in the EC2 Launch Templates are identified, which could expose sensitive data to unauthorized access.

Rationale:

Storing sensitive information like secrets in EC2 Launch Templates increases the risk of inadvertent exposure. Such secrets should be managed securely using AWS Secrets Manager, SSM Parameter Store, or environment variables, rather than embedding them directly in launch templates. Identifying and removing secrets stored in launch templates helps mitigate security risks and ensures compliance with best practices for handling sensitive information.

Impact:

Pros:

  • Improved Security: Identifying and eliminating hardcoded secrets helps protect sensitive data.

  • Compliance: Helps adhere to security best practices and compliance regulations.

  • Better Control: Secrets are managed securely, making it easier to rotate and audit access to sensitive information.

Cons:

  • Time-Consuming: Identifying secrets manually can be time-consuming, especially in environments with many launch templates.

  • Misconfiguration Risk: If secrets are not correctly migrated to a secure location, misconfigurations can occur.

Default Value:

By default, EC2 Launch Templates do not contain sensitive secrets if they follow best practices. However, in some cases, developers or administrators may inadvertently include secrets in the launch template configurations.

Pre-requisites:

  • IAM Permissions:

    • ec2:DescribeLaunchTemplates

    • ec2:DescribeLaunchTemplateVersions

    • ssm:GetParameters

  • AWS CLI or Console Access to check and retrieve EC2 Launch Template configurations.

  • Secrets Management setup, such as Secrets Manager or SSM Parameter Store, for managing sensitive information securely.

Remediation:

Test plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the EC2 Console, select Launch Templates from the left-hand menu.

  4. Review each launch template and look for configurations or user data scripts that might contain sensitive information (e.g., API keys, passwords, AWS credentials).

  5. If secrets are found in the launch template:

    • Remove the secrets from the template.

    • Store the secrets securely in AWS Secrets Manager or SSM Parameter Store.

    • Update the launch template to reference the securely stored secrets (via environment variables or secure retrieval methods).

  6. Save and redeploy any affected EC2 instances to ensure no secrets are exposed in the template.

Using AWS CLI:

To describe the launch templates, run:

aws ec2 describe-launch-templates --query 'LaunchTemplates[*].LaunchTemplateId'

To describe the versions of a specific launch template and check for secrets, run:

aws ec2 describe-launch-template-versions --launch-template-id <template-id>

Review the User Data section of each launch template version to identify any hardcoded secrets:

aws ec2 describe-launch-template-versions --launch-template-id <template-id> --query 'LaunchTemplateVersions[*].UserData'

If secrets are found, remove them and migrate the secrets to Secrets Manager or SSM Parameter Store.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to EC2.

  2. In the EC2 Console, select Launch Templates under Instances.

  3. Review each Launch Template for sensitive data, especially in the User Data section.

  4. If secrets are found, remove them and store them securely in AWS Secrets Manager or SSM Parameter Store.

  5. Update the launch template to reference these stored secrets, either through environment variables or secure methods.

Using AWS CLI: 

To list launch templates, run:

aws ec2 describe-launch-templates --query 'LaunchTemplates[*].LaunchTemplat

For each template, run the following to check the user data:

aws ec2 describe-launch-template-versions --launch-template-id <template-id> --query 'LaunchTemplateVersions[*].UserData'

If any secrets are identified, remove them and store securely in AWS Secrets Manager or SSM Parameter Store. Update the launch template to reference those stored secrets securely.

Backout Plan:

Using AWS Console:

If removing secrets causes any issues or misconfigurations:

  • Revert the launch template to its previous version.

  • Restore any original user data or secrets from a backup (if applicable).

  • Ensure the proper secrets management system (like Secrets Manager or SSM Parameter Store) is in place before re-attempting to remove hardcoded secrets.

Using AWS CLI:

To revert to an earlier launch template version, run:

aws ec2 create-launch-template-version --launch-template-id <template-id> --source-version <version-number> --version-

description "Reverting to previous version"

Ensure any secrets are securely stored and accessed via a secure method (like Secrets Manager or SSM Parameter Store).

Note :

  • Encryption at Rest: If sensitive information is stored in SSM Parameter Store or Secrets Manager, ensure the data is encrypted using KMS keys for enhanced security.

  • Access Control: Ensure only authorized users and applications have permission to access the secrets stored in Secrets Manager or SSM Parameter Store.

  • Regular Auditing: Regularly audit your EC2 launch templates and Secrets Manager for potential security risks.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Ensure encryption of sensitive data at rest using proper tools and solutions.

v8

6.1

Implement and enforce security and encryption for the storage of sensitive data.

v8

14.1

Ensure network and application resources are protected from unauthorized access, especially sensitive data.