github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/as_no_secrets_in_user_data.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/as_no_secrets_in_user_data.go (about)

     1  package ec2
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  
    16  	"github.com/owenrumney/squealer/pkg/squealer"
    17  )
    18  
    19  var scanner = squealer.NewStringScanner()
    20  
    21  var CheckASNoSecretsInUserData = rules.Register(
    22  	scan.Rule{
    23  		AVDID:       "AVD-AWS-0129",
    24  		Aliases:     []string{"aws-autoscaling-no-secrets-in-user-data"},
    25  		Provider:    providers.AWSProvider,
    26  		Service:     "ec2",
    27  		ShortCode:   "no-secrets-in-launch-template-user-data",
    28  		Summary:     "User data for EC2 instances must not contain sensitive AWS keys",
    29  		Impact:      "User data is visible through the AWS Management console",
    30  		Resolution:  "Remove sensitive data from the EC2 instance user-data generated by launch templates",
    31  		Explanation: `EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.`,
    32  		Links: []string{
    33  			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html",
    34  		},
    35  		Terraform: &scan.EngineMetadata{
    36  			GoodExamples:        terraformASNoSecretsInUserDataGoodExamples,
    37  			BadExamples:         terraformASNoSecretsInUserDataBadExamples,
    38  			Links:               terraformASNoSecretsInUserDataLinks,
    39  			RemediationMarkdown: terraformASNoSecretsInUserDataRemediationMarkdown,
    40  		},
    41  		CloudFormation: &scan.EngineMetadata{
    42  			GoodExamples:        cloudFormationASNoSecretsInUserDataGoodExamples,
    43  			BadExamples:         cloudFormationASNoSecretsInUserDataBadExamples,
    44  			Links:               cloudFormationASNoSecretsInUserDataLinks,
    45  			RemediationMarkdown: cloudFormationASNoSecretsInUserDataRemediationMarkdown,
    46  		},
    47  		Severity: severity.Critical,
    48  	},
    49  	func(s *state.State) (results scan.Results) {
    50  		for _, instance := range s.AWS.EC2.LaunchTemplates {
    51  			if instance.Metadata.IsUnmanaged() {
    52  				continue
    53  			}
    54  			if result := scanner.Scan(instance.UserData.Value()); result.TransgressionFound {
    55  				results.Add(
    56  					fmt.Sprintf("Sensitive data found in launch template user data: %s", result.Description),
    57  					instance.UserData,
    58  				)
    59  			} else {
    60  				results.AddPassed(&instance)
    61  			}
    62  		}
    63  		return
    64  	},
    65  )