User Data Contains Encoded Private Key

  • Query id: c09f4d3e-27d2-4d46-9453-abbe9687a64e
  • Query name: User Data Contains Encoded Private Key
  • Platform: Ansible
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: ['group', 'group2' ]
    instance_type: t1.micro
    user_data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data: dGVzdA==
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0
- name: note that encrypted volumes are only supported in >= Ansible 2.4.2
  community.aws.ec2_lc:
    name: special2
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data:
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0