Profile Applicability:

  • Level 1

Description:
 EC2 User Data can be specified when launching an EC2 instance to configure the instance or include initialization scripts. However, it is critical that sensitive information, such as passwords, API keys, or encryption keys, are not included in user data since this data is not protected by encryption or authentication mechanisms.

Rationale:
 User data is easily accessible and can be viewed by anyone with access to the EC2 instance configuration, including administrators, system users, or unauthorized actors. Storing secrets or sensitive data in EC2 user data is insecure because the data is not protected, leading to potential data leaks, security breaches, and compliance violations.

Impact:
 Pros:

  • Improved security by ensuring that sensitive data is stored securely.

  • Reduced risk of unauthorized access to credentials or sensitive data through EC2 instance configurations.

Cons:

  • Requires secure storage alternatives for sensitive data (e.g., AWS Secrets Manager), which may incur additional operational complexity.

Default Value:
 By default, user data is not encrypted or protected. If sensitive data is stored in user data, it could be easily accessed by anyone with sufficient permissions.

Pre-requisites:

  • AWS IAM permissions to view and manage EC2 instances and user data:
    ec2:DescribeInstances, ec2:ModifyInstanceAttribute

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. In the left pane, click Instances, then click Instances from the dropdown.

  3. Select an EC2 instance for review.

  4. From the Actions menu, select Instance Settings, then click Edit User Data.

  5. Review the user data for any secrets or sensitive data, such as passwords, keys, or tokens.

  6. If sensitive data is found, refer to the remediation section below.

  7. Repeat steps 3–6 for all EC2 instances across all AWS regions.

Using AWS CLI:

  1. Run the following command to describe EC2 instances and retrieve the user data:

    aws ec2 describe-instances --region us-east-1 --output json --query "Reservations[*].Instances[*].{Instance:InstanceId}"

  2. For each instance listed, run the following command to retrieve the user data:

    aws ec2 describe-instance-attribute --instance-id <instance-id> --attribute userData

  3. Note that the user data might be Base64 encoded. Decode the output if necessary to check for sensitive information.

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. In the left pane, click Instances, then click Instances from the dropdown.

  3. Select the EC2 instance where sensitive data is found in the user data.

  4. Stop the instance if it is running to ensure no unintended side effects from modifying the user data.

  5. Click Actions > Instance Settings > Edit User Data.

  6. Remove any secrets or sensitive data from the User Data.

  7. Store sensitive data securely using services such as AWS Secrets Manager instead.

  8. Once the changes are made, save the new user data and restart the instance.

Using AWS CLI:

  1. For each instance identified in the audit with sensitive data in the user data, use the modify-instance-attribute command to update the user data:

    aws ec2 modify-instance-attribute --instance-id i-1234567abcdefghi0 --user-data "New user data without sensitive information"

  2. If the instance needs to be stopped before the change, use the stop-instances command, followed by the start-instances command once the change is made:

    aws ec2 stop-instances --instance-ids i-1234567abcdefghi0
aws ec2 start-instances --instance-ids i-1234567abcdefghi0

Backout Plan:

Using AWS Console:

  1. If removing sensitive data from user data causes issues, you can revert the changes by editing the user data again and restoring any previous configuration (if applicable and necessary).

  2. Ensure that any sensitive data is securely stored in an appropriate service, such as AWS Secrets Manager, before modifying user data.

Using AWS CLI:

  1. If reverting changes causes issues with the EC2 instance, you can restore the previous user data by re-running the modify-instance-attribute command with the old data, or restore from a backup if available.

References:

  1. AWS EC2: Instance Metadata

  2. AWS EC2: Modifying Instance User Data

  3. AWS Secrets Manager

  4. AWS CLI: describe-instances

  5. AWS CLI: modify-instance-attribute

CIS Controls:

Version

Control ID

Control Description

v8

3.2

Establish and maintain a data inventory for sensitive data, ensuring that it is not stored insecurely in EC2 user data but instead in a more secure solution like AWS Secrets Manager.

v8

3.3

Configure data access control lists (ACLs) to ensure that sensitive information is stored securely, preventing it from being exposed in EC2 user data.

v7

1.5

Maintain asset inventory information and ensure that sensitive data is not stored in unsecured locations like EC2 user data, but rather in secure systems designed for storing sensitive information.