EC2 UserData Credential Extraction

Required Permissions

Description

EC2 instance UserData is a bootstrap mechanism that runs scripts when instances launch. It frequently contains hardcoded credentials, environment variables, API keys, database connection strings, and other secrets that developers embed for application setup.

Two attack vectors exist:

- **Reading existing UserData** — With ec2:DescribeInstanceAttribute permission, an attacker can read the UserData of any instance. This data is base64-encoded but not encrypted, and often contains application secrets, database passwords, and AWS access keys embedded in setup scripts. - **Modifying UserData for code execution** — With ec2:ModifyInstanceAttribute and the ability to stop/start instances, an attacker can replace UserData with their own script. On next boot, the instance executes the attacker's code with the permissions of the instance's IAM role. This is effectively code execution on any stoppable EC2 instance.

Additionally, CloudFormation stack descriptions (both active and deleted stacks) often contain similar sensitive data in stack parameters, outputs, and template bodies. Deleted stacks retain their descriptions for 90 days, providing a historical record of credentials that may still be valid.

Impact

Exposure of hardcoded credentials, API keys, and database passwords. With modify access, arbitrary code execution on target instances with their IAM role permissions.

Detection

Monitor for DescribeInstanceAttribute calls requesting userData. Alert on ModifyInstanceAttribute targeting userData. Audit CloudFormation stack descriptions for sensitive parameters.

Mitigation

Never embed credentials in UserData — use Secrets Manager, SSM Parameter Store, or instance profiles instead. Encrypt UserData at rest. Restrict ec2:DescribeInstanceAttribute and ec2:ModifyInstanceAttribute permissions. Audit and clean up deleted CloudFormation stacks.

Related Techniques