For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-user-data-contains-encoded-private-key.md.
A documentation index is available at /llms.txt.
AWS Launch Configuration’s user_data_base64 field should never contain private keys, even if base64 encoded, as this encryption method can be easily reversed by attackers. When private keys are exposed in user data, they can be extracted from the instance metadata or discovered through AWS API calls, compromising the security of all systems using those credentials. Instead of embedding private keys directly in user data, as shown in the insecure example user_data_base64 = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5", use AWS secrets management services like AWS Secrets Manager or Systems Manager Parameter Store, or implement a secure alternative where private keys are safely retrieved during instance startup.
module"asg"{source="terraform-aws-modules/autoscaling/aws"version="1.0.4" # Launch configuration
lc_name="example-lc"image_id="ami-ebd02392"instance_type="t2.micro"security_groups=["sg-12345678"]ebs_block_device=[{device_name="/dev/xvdz"volume_type="gp2"volume_size="50"delete_on_termination=true},]root_block_device=[{volume_size="50"volume_type="gp2"},] # Auto scaling group
asg_name="example-asg"vpc_zone_identifier=["subnet-1235678","subnet-87654321"]health_check_type="EC2"min_size=0max_size=1desired_capacity=1wait_for_capacity_timeout=0tags=[{key="Environment"value="dev"propagate_at_launch=true},{key="Project"value="megasecret"propagate_at_launch=true},]}
module"asg"{source="terraform-aws-modules/autoscaling/aws"version="1.0.4" # Launch configuration
lc_name="example-lc"image_id="ami-ebd02392"instance_type="t2.micro"security_groups=["sg-12345678"]user_data_base64=""ebs_block_device=[{device_name="/dev/xvdz"volume_type="gp2"volume_size="50"delete_on_termination=true},]root_block_device=[{volume_size="50"volume_type="gp2"},] # Auto scaling group
asg_name="example-asg"vpc_zone_identifier=["subnet-1235678","subnet-87654321"]health_check_type="EC2"min_size=0max_size=1desired_capacity=1wait_for_capacity_timeout=0tags=[{key="Environment"value="dev"propagate_at_launch=true},{key="Project"value="megasecret"propagate_at_launch=true},]}
module"positive2"{source="terraform-aws-modules/autoscaling/aws"version="1.0.4" # Launch configuration
lc_name="example-lc"image_id="ami-ebd02392"instance_type="t2.micro"security_groups=["sg-12345678"]user_data_base64="LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5"ebs_block_device=[{device_name="/dev/xvdz"volume_type="gp2"volume_size="50"delete_on_termination=true},]root_block_device=[{volume_size="50"volume_type="gp2"},] # Auto scaling group
asg_name="example-asg"vpc_zone_identifier=["subnet-1235678","subnet-87654321"]health_check_type="EC2"min_size=0max_size=1desired_capacity=1wait_for_capacity_timeout=0tags=[{key="Environment"value="dev"propagate_at_launch=true},{key="Project"value="megasecret"propagate_at_launch=true},]}
module"positive3"{source="terraform-aws-modules/autoscaling/aws"version="1.0.4" # Launch configuration
lc_name="example-lc"image_id="ami-ebd02392"instance_type="t2.micro"security_groups=["sg-12345678"]user_data_base64="LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZIEJMT0NLLS0tLS0="ebs_block_device=[{device_name="/dev/xvdz"volume_type="gp2"volume_size="50"delete_on_termination=true},]root_block_device=[{volume_size="50"volume_type="gp2"},] # Auto scaling group
asg_name="example-asg"vpc_zone_identifier=["subnet-1235678","subnet-87654321"]health_check_type="EC2"min_size=0max_size=1desired_capacity=1wait_for_capacity_timeout=0tags=[{key="Environment"value="dev"propagate_at_launch=true},{key="Project"value="megasecret"propagate_at_launch=true},]}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
