--- title: User data contains encoded private key description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > User data contains encoded private key --- # User data contains encoded private key {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-user-data-contains-encoded-private-key` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html) ### Description{% #description %} Embedding private keys in instance user data (even if base64-encoded) exposes sensitive credentials that can be decoded and used to gain unauthorized access to instances and pivot within your environment. For `AWS::AutoScaling::LaunchConfiguration` resources, `Properties.UserData` must not contain PEM private key material. This includes raw PEM headers like `-----BEGIN RSA PRIVATE KEY` or their base64-encoded equivalents. This rule flags `UserData` entries that contain base64 fragments indicative of an encoded PEM header (for example, fragments such as `LS0tLS1CR`) or the raw PEM text. To remediate, store keys and secrets in a secure service (AWS Secrets Manager, Systems Manager Parameter Store) or provision access via EC2 key pairs, instance roles, or runtime retrieval from a secure store instead of hard-coding them into user data. Secure configuration example (retrieve secret from Secrets Manager at runtime): ```yaml MyLaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Properties: ImageId: ami-0abcdef1234567890 InstanceType: t3.micro IamInstanceProfile: !Ref MyInstanceProfile UserData: Fn::Base64: | #!/bin/bash aws secretsmanager get-secret-value --secret-id my-app-key --region us-east-1 --query SecretString --output text > /tmp/app-key.pem chmod 600 /tmp/app-key.pem ``` ## Compliant Code Examples{% #compliant-code-examples %} ```json { "Resources":{ "myLaunchConfig":{ "Type":"AWS::AutoScaling::LaunchConfiguration", "Properties":{ "ImageId":"ami-02354e95b39ca8dec", "SecurityGroups":[ { "Ref":"myEC2SecurityGroup" }, "myExistingEC2SecurityGroup" ], "InstanceType":"m1.large", "KeyName":{ "Ref":"KeyName" }, "UserData": "some-gibberish" } } } } ``` ```yaml --- Resources: myLaunchConfig2: Type: AWS::AutoScaling::LaunchConfiguration Properties: ImageId: "ami-02354e95b39ca8dec" SecurityGroups: - Ref: "myEC2SecurityGroup" - myExistingEC2SecurityGroup InstanceType: "m1.large" KeyName: Ref: "KeyName" UserData: "some-gibberish" ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```json { "Resources":{ "myLaunchConfig3":{ "Type":"AWS::AutoScaling::LaunchConfiguration", "Properties":{ "ImageId":"ami-02354e95b39ca8dec", "SecurityGroups":[ { "Ref":"myEC2SecurityGroup" }, "myExistingEC2SecurityGroup" ], "InstanceType":"m1.large", "KeyName":{ "Ref":"KeyName" }, "UserData": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5" } } } } ``` ```yaml --- Resources: myLaunchConfig4: Type: AWS::AutoScaling::LaunchConfiguration Properties: ImageId: "ami-02354e95b39ca8dec" SecurityGroups: - Ref: "myEC2SecurityGroup" - myExistingEC2SecurityGroup InstanceType: "m1.large" KeyName: Ref: "KeyName" UserData: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5" ``` ```yaml --- Resources: myLaunchConfig5: Type: AWS::AutoScaling::LaunchConfiguration Properties: ImageId: "ami-02354e95b39ca8dec" InstanceType: "m1.large" UserData: !Base64 "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5" ```