User Data Shell Script Is Encoded

• Query id: 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89
• Query name: User Data Shell Script Is Encoded
• Platform: Ansible
• Severity: High
• Category: Encryption
• URL: Github

Description

User Data Shell Script must be encoded
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

---
- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: ['group', 'group2']
    instance_type: t1.micro
    user_data: IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==
    volumes:
      - device_name: /dev/sda1
        volume_size: 100
        volume_type: io1
        iops: 3000
        delete_on_termination: true
        encrypted: true
      - device_name: /dev/sdb
        ephemeral: ephemeral0

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data: ZWNobyAiSGVsbG8gd29ybGQi
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0
- name: note that encrypted volumes are only supported in >= Ansible 2.4.2
  community.aws.ec2_lc:
    name: special2
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data:
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0