EC2 launch template user data contains no secrets in any version
ec2_launch_template_no_secrets
EC2 launch template user data is analyzed across versions to identify embedded secrets-hard-coded passwords, tokens, API keys, or private keys-within the startup scripts or configuration supplied to instances.
Risk
Secrets in user data can be read by identities able to view launch templates, eroding confidentiality.
Exposed credentials enable unauthorized API actions, data exfiltration, and lateral movement. Past template versions retain leaked values, complicating rotation and recovery.
prowler aws --checks ec2_launch_template_no_secrets
Recommendation
Keep user data free of secrets. Retrieve sensitive values at runtime from AWS Secrets Manager or SSM Parameter Store SecureString using instance roles.
Enforce least privilege, rotate to short-lived credentials, and review template history; if exposure occurred, rotate affected secrets.
Remediation
- In the AWS Console, go to EC2 > Launch Templates
- Select the launch template and click Create new version
- In Advanced details, clear the User data field so it is blank
- Save and set this clean version as the Default version
- Back in the Versions tab, select all versions that contain secrets and click Actions > Delete versions
- Ensure only versions with blank (or non-secret) user data remain
Source Code
Resource Type
AwsEc2LaunchTemplate