User Data Shell Script Is Encoded
- Query id: 9cf718ce-46f9-430e-89ec-c456f8b469ee
- Query name: User Data Shell Script Is Encoded
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
User Data Shell Script must be encoded
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_launch_configuration" "positive1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = "IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==" # #!/bin/sh echo "Hello world"
lifecycle {
create_before_destroy = true
}
}
Positive test num. 2 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
user_data_base64 = "IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==" # #!/bin/sh echo "Hello world"
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
},
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
},
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_launch_configuration" "negative1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
lifecycle {
create_before_destroy = true
}
}
Negative test num. 2 - tf file
resource "aws_launch_configuration" "negative2" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = ""
lifecycle {
create_before_destroy = true
}
}
Negative test num. 3 - tf file
resource "aws_launch_configuration" "negative3" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = null
lifecycle {
create_before_destroy = true
}
}
Negative test num. 4 - tf file
Negative test num. 5 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
},
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
},
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}
Negative test num. 6 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
user_data_base64 = ""
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
},
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
},
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}
Negative test num. 7 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
user_data_base64 = null
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
},
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
},
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}
Negative test num. 8 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
user_data_base64 = "ZWNobyAiSGVsbG8gd29ybGQi"
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
},
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
},
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}