EC2 instance User Data is inspected for secret-like values (credentials, tokens, keys). Both plain and compressed content are parsed, honoring configured exclusions, to identify patterns that resemble sensitive material within initialization scripts.
Risk
Secrets embedded in User Data undermine confidentiality and integrity. Anyone with instance or build-system access can read them, reuse credentials to call services, exfiltrate data, or move laterally. Exposure may persist in AMIs, snapshots, and backups, increasing blast radius over time.
prowler aws --checks ec2_instance_secrets_user_data
Recommendation
Avoid placing secrets in User Data. Store them in a managed secret service and fetch at runtime via a least-privilege instance role. Prefer short-lived credentials with regular rotation. Limit who can view or edit User Data and apply defense in depth with automated secret scanning in build pipelines.
Remediation
aws ec2 modify-instance-attribute --instance-id <INSTANCE_ID> --user-data "Value="
- Open the AWS EC2 console and go to Instances
- Select the affected instance
- Click Actions > Instance settings > Edit user data
- Delete all contents of the user data field
- Click Save
Source Code
Resource Type
AwsEc2Instance