EC2: can I provide default startup scripts to erase sensitive data in my AMI?

Question

I'm trying to use EC2 to provide an easy-to-use way to bootstrap a hard-to-build web application. Trouble is, there is some sensitive configuration on the filesystem, such as password salts.

I've written a user-data script that replaces these salts with random values on first boot, and I put this in the user-data attribute of the instance from which I built my AMI.

But now it looks to me like user-data scripts are specific to instances, not AMIs - that is, it's only run when specified by the user doing the cloning, not the creator of the AMI (me).

Well... duh, I guess that makes sense given the name "user data".

Is that wrong? Is there any way for me to provide a script that's run automagically on new clones of my AMI?

Answer 1

If you are building the AMI, then you can put whatever you want on the file system.

For your high level question about running code on startup, you can add the code as a standard system startup script on the AMI file system. The specific way to do this depends on the initialization software used by your particular Linux distro and release.

HOWEVER! Your specific example of overwriting sensitive data on the file system is not something that is safe to do in an AMI. Sensitive, private, or secret information should never be placed in an AMI. In fact, it should never touch the EBS volume used to build a public AMI as there are ways for users to restore the data that has been deleted.

I've written a couple articles about these security risks:

Creating Public AMIs Securely for EC2
http://alestic.com/2011/06/ec2-ami-security

Hidden Dangers in Creating Public EBS Snapshots on EC2
http://alestic.com/2009/09/ec2-public-ebs-danger