---
title: User data contains encoded private key
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > User data contains encoded private key
---

# User data contains encoded private key

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-user-data-contains-encoded-private-key` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/autoscaling_launch_config_module.html)

### Description{% #description %}

Embedding base64-encoded private keys in EC2 launch configuration user data exposes sensitive credentials that can be decoded and used to impersonate instances or access private services, resulting in credential compromise and lateral movement.

This rule inspects Ansible tasks using the `community.aws.autoscaling_launch_config` or `autoscaling_launch_config` modules and flags the `user_data` property when it contains the base64 prefix `LS0tLS1CR`, which corresponds to the start of an RSA private key header (`-----BEGIN R...`).

Remove any private keys from `user_data` and instead store secrets in a secure secrets manager or fetch them at runtime using instance IAM roles. Tasks embedding keys are flagged.

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.autoscaling_launch_config:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data: dGVzdA==
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0
- name: note that encrypted volumes are only supported in >= Ansible 2.4.2
  community.aws.autoscaling_launch_config:
    name: special2
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data:
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.autoscaling_launch_config:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: ['group', 'group2' ]
    instance_type: t1.micro
    user_data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0
```