[DEPRECATED] EC2 Auto Scaling launch configuration user data contains no secrets
autoscaling_find_secrets_ec2_launch_configuration
Severitycritical
Serviceautoscaling
[DEPRECATED] EC2 Auto Scaling launch configurations are analyzed for secrets embedded in User Data, such as passwords, tokens, or API keys in bootstrapping scripts.
Risk
Secrets in User Data erode confidentiality and integrity:
- Instance users or processes can read or log them
- Exposed keys enable unauthorized API calls, data exfiltration, and lateral movement
- Credential reuse increases blast radius across accounts and services
Run this check with Prowler CLI
prowler aws --checks autoscaling_find_secrets_ec2_launch_configuration
Recommendation
Never place secrets in User Data.
- Use a managed secret store with an instance role to fetch at runtime
- Enforce least privilege, rotate secrets, and avoid writing secrets to logs
- Prefer short-lived, scoped credentials and layer controls for defense in depth
Remediation
Native IaC
Terraform
Other
- In the AWS Console, go to EC2 > Launch configurations and click Create launch configuration
- Reuse the same AMI and instance type; leave User data empty
- Go to EC2 > Auto Scaling groups, select the group using the failing launch configuration, click Edit
- Under Launch options, select the new launch configuration and Save
- After the ASG is updated, delete the old launch configuration
Source Code
Resource Type
AwsAutoScalingLaunchConfiguration