For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-user-data-contains-encoded-private-key.md. A documentation index is available at /llms.txt.

User data contains encoded private key

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-user-data-contains-encoded-private-key

Provider: AWS

Platform: Ansible

Severity: High

Category: Encryption

Learn More

Description

Embedding base64-encoded private keys in EC2 launch configuration user data exposes sensitive credentials that can be decoded and used to impersonate instances or access private services, resulting in credential compromise and lateral movement.

This rule inspects Ansible tasks using the community.aws.autoscaling_launch_config or autoscaling_launch_config modules and flags the user_data property when it contains the base64 prefix LS0tLS1CR, which corresponds to the start of an RSA private key header (-----BEGIN R...).

Remove any private keys from user_data and instead store secrets in a secure secrets manager or fetch them at runtime using instance IAM roles. Tasks embedding keys are flagged.

Compliant Code Examples

- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.autoscaling_launch_config:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data: dGVzdA==
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0
- name: note that encrypted volumes are only supported in >= Ansible 2.4.2
  community.aws.autoscaling_launch_config:
    name: special2
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    user_data:
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0

Non-Compliant Code Examples

---
- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.autoscaling_launch_config:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: ['group', 'group2' ]
    instance_type: t1.micro
    user_data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: true
    - device_name: /dev/sdb
      ephemeral: ephemeral0