User Data Shell Script Is Encoded

  • Query id: 48c3bc58-6959-4f27-b647-4fedeace23be
  • Query name: User Data Shell Script Is Encoded
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

User Data Shell Script must be encoded
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  myLaunchConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: !Ref LatestAmiId
      SecurityGroups:
        - Ref: "myEC2SecurityGroup"
      InstanceType:
        Ref: "InstanceType"
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: 30
            VolumeType: "gp2"
        - DeviceName: /dev/sdm
          Ebs:
            VolumeSize: 100
            DeleteOnTermination: "false"
      UserData: IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==
Positive test num. 2 - json file
{
  "Resources": {
    "myLaunchConfig": {
      "Type": "AWS::AutoScaling::LaunchConfiguration",
      "Properties": {
        "ImageId": {
          "Ref": "LatestAmiId"
        },
        "SecurityGroups": [
          {
            "Ref": "myEC2SecurityGroup"
          }
        ],
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "BlockDeviceMappings": [
          {
            "DeviceName": "/dev/sda1",
            "Ebs": {
              "VolumeSize": "30",
              "VolumeType": "gp2"
            }
          },
          {
            "DeviceName": "/dev/sdm",
            "Ebs": {
              "VolumeSize": "100",
              "DeleteOnTermination": "false"
            }
          }
        ],
        "UserData": "IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg=="
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  myLaunchConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: !Ref LatestAmiId
      SecurityGroups:
        - Ref: "myEC2SecurityGroup"
      InstanceType:
        Ref: "InstanceType"
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: 30
            VolumeType: "gp2"
        - DeviceName: /dev/sdm
          Ebs:
            VolumeSize: 100
            DeleteOnTermination: "false"
Negative test num. 2 - json file
{
  "Resources": {
    "myLaunchConfig": {
      "Type": "AWS::AutoScaling::LaunchConfiguration",
      "Properties": {
        "ImageId": {
          "Ref": "LatestAmiId"
        },
        "SecurityGroups": [
          {
            "Ref": "myEC2SecurityGroup"
          }
        ],
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "BlockDeviceMappings": [
          {
            "DeviceName": "/dev/sda1",
            "Ebs": {
              "VolumeSize": "30",
              "VolumeType": "gp2"
            }
          },
          {
            "DeviceName": "/dev/sdm",
            "Ebs": {
              "VolumeSize": "100",
              "DeleteOnTermination": "false"
            }
          }
        ]
      }
    }
  }
}