User Data Contains Encoded Private Key
- Query id: c09f4d3e-27d2-4d46-9453-abbe9687a64e
- Query name: User Data Contains Encoded Private Key
- Platform: Ansible
- Severity: High
- Category: Encryption
- URL: Github
Description¶
User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
---
- name: note that encrypted volumes are only supported in >= Ansible 2.4
community.aws.ec2_lc:
name: special
image_id: ami-XXX
key_name: default
security_groups: ['group', 'group2' ]
instance_type: t1.micro
user_data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5
volumes:
- device_name: /dev/sda1
volume_size: 100
volume_type: io1
iops: 3000
delete_on_termination: true
encrypted: true
- device_name: /dev/sdb
ephemeral: ephemeral0
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: note that encrypted volumes are only supported in >= Ansible 2.4
community.aws.ec2_lc:
name: special
image_id: ami-XXX
key_name: default
security_groups: [group, group2]
instance_type: t1.micro
user_data: dGVzdA==
volumes:
- device_name: /dev/sda1
volume_size: 100
volume_type: io1
iops: 3000
delete_on_termination: true
encrypted: true
- device_name: /dev/sdb
ephemeral: ephemeral0
- name: note that encrypted volumes are only supported in >= Ansible 2.4.2
community.aws.ec2_lc:
name: special2
image_id: ami-XXX
key_name: default
security_groups: [group, group2]
instance_type: t1.micro
user_data:
volumes:
- device_name: /dev/sda1
volume_size: 100
volume_type: io1
iops: 3000
delete_on_termination: true
encrypted: true
- device_name: /dev/sdb
ephemeral: ephemeral0