AWS-EC2-Secrets-in-User-Data

Owned by naveen
Last updated: Jan 25, 2022
2 min read

Severity : Medium

Description: This control ensures that EC2 instances doesn’t expose passwords, private keys or other keys in the user data. Instance’s user data is metadata field that allows custom code to run after the instance is launch. The presence of these secrets in metadata could expose them to third party. Security best practices recommend to remove all secret from the user data of the instances.

Remediation Steps:

Perform following to remove the secrete from the user data and use SM :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

Create the secret in the Secret Manager for instances :

  1. Navigate to Secret Manager console.

  2. Select Secrets and Store a new secret.

  3. In navigation select Instances and the select the instance reported.

  4. Under Secret Type, select other type secret and specify key value pair.

  5. Select Next. Enter Name for secret and Description.

Create IAM role with secret access policy for instances:

  1. Navigate to IAM console.

  2. Select Roles and select Create Role.

  3. If EC2 instance role already created, Add Policy to get the secret as below. If role doesn’t exist Create Role for EC2 instances. The Policy in the role

    1. { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue" ], "Resource": <Key ARN in Secrete Manager>, "Effect": "Allow" } ] }

       

Update existing instances to use above role and remove secret from user data :

  1. Navigate to EC2 console.

  2. Navigate to Instances and select Instances.

  3. Select the instance reported from the list of instance.

  4. Select Action and then choose Security, Modify IAM Role.

  5. For IAM role, if instance doesn’t have any role, Select the role created above. In case instances have a role and the key access policy above was added to old role, instance have the new updated policy.

  6. Choose Save to save changes.

  7. Select Action and then choose Select Action and then choose Instance Settings, Edit User data.

  8. In the User data Find the secret and remove the secret.

  9. Update the user data with following script to set the secret key and save it in environment variable

    1. #!/bin/bash aws secretsmanager get-secret-value --region <aws-region> --secret-id <secret Key name>

       

Important:

Reference :

Blue Hexagon Proprietary