AWS Management Console cannot handle binary EC2 user data

0

This is not a question. I just wanted to put something I found out there so other people can talk about it. I didn't create a support ticket as I don't have premium support. I know that it wouldn't affect anyone in most cases.

https://repost.aws/questions/QUtZd267f4SSuyBkfNxQY1Cw/bug-report


If "Input is already base64-encoded" option is checked, the browser does not handle the data as binary and try to convert the input from ISO-8859-1 to utf-8 if it "thinks" it's text data.

Steps to reproduce

Generate the arbitrary binary. Any binary data should work as long as the JS's algorithm determines it as text.

echo -ne '\xab\xba\xba\xbe' | base64
# q7q6vg==

Pick a stopped instance to play with. Put the base64 encoded text to the textbox.

AWS Management Console EC2 "Edit user data" form

Inspect the actual data uploaded.

aws --region=AA-BBBB-N ec2 describe-instance-attribute --instance-id i-NNNNNNNNNNNNNNNNN --attribute userData | jq -r '.UserData.Value' | base64 -d | hexdump -C

You'll see that the data is not what you put in.

00000000  c2 ab c2 ba c2 ba c2 ba                           |........|
00000008

This is a bug in in the web client. It's confirmed by inspecting the actual request sent to the API endpoint from the browser.

POST request capture

This can complicate things

According to the user guide,

User data is treated as opaque data: what you give is what you get back. It is up to the instance to interpret it.

User data can be set to binary data using awscli. It has no problem handling binary data and sending it to the API endpoint. The endpoints does not seem to care about the data. IMDS even returns user data to the instance as "application/octet-stream" So in essence, you can put anything in your user data. The AWS Management Console is built upon the assumption that the user data is always plain text. It always try to decode and show the data as plain text.

User data must be base64-encoded. The Amazon EC2 console can perform the base64-encoding for you or accept base64-encoded input.

This is just because user data has to be put in the request JSON object. Again, nothing at EC2 end should care about the contents of the user data because it's an attack vector if anything does.

This complicate things for users who wants to put binary data in user data using Management Console. Using awscli to make launch template is not an easy task for some people.

David T
asked 6 months ago205 views
1 Answer
0

Hello.

I think it's a good idea to report bugs in the management console UI, etc. using the "Feedback" button at the bottom left of the screen.
I think if you report it here, they will respond someday.
a

b

profile picture
EXPERT
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions