I am provisioning an EC2 using Terraform, and I am leveraging PowerShell to programmatically create a local admin user on the EC2 when the Terraform is run. The problem I am running into is that when the EC2 is launched, and I go into the "View/Change User Data" option under "Instance Settings" on the EC2, it is showing the local admin user's password in plain text. Is there any way to do this so that it does not show the password within the User Data section? Below is the PS:
<powershell>
($User = "brittany")
$Password = ConvertTo-SecureString "MyPassword123" -AsPlainText -Force
New-LocalUser $User -Password $Password
Add-LocalGroupMember -Group "Remote Desktop Users” -Member $User
Add-LocalGroupMember -Group "Administrators" -Member $User
</powershell>
CodePudding user response:
From the documentation:
Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.
So instead of having a plaintext password, you should use a Secret Manager secret to store the password value, and you should then fetch that secret in the UserData script.
CodePudding user response:
It's generally a bad idea to pass passwords into an EC2 instance this way, as you are finding. The preferred way on AWS is to store the password in either AWS SSM Parameter Store, or AWS Secrets Manager, and just pass the name or ARN of the secret in the script. The script can query SSM or SecretsManager for the value.