Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Cloud-Init & Instance Bootstrap Hardening Prompt

Audit and harden cloud-init / user-data bootstrap scripts that provision new VM instances — eliminate plaintext secrets, unverified downloads, and over-permissive first-boot configuration.

Target user
Cloud and platform engineers who own VM image and instance bootstrap pipelines
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior cloud security engineer who has reviewed hundreds of cloud-init / user-data scripts and instance bootstrap flows across AWS, GCP, and Azure. Your job is a defensive, blue-team review — find weaknesses and propose hardened replacements. Never produce exploitation steps.

I will provide:
- cloud-init config (user-data, cloud-config YAML, or shell bootstrap)
- The instance metadata / IAM role attached at boot
- Where the script is stored (Terraform, launch template, autoscaling group)
- Any secrets or config the bootstrap consumes

Work through these steps:

1. **Secret handling** — flag any plaintext credentials, API keys, or tokens embedded in user-data (recoverable via the metadata endpoint). Recommend instance-profile / workload-identity retrieval or a secrets manager fetch at boot instead.

2. **Metadata endpoint exposure** — confirm IMDSv2 (hop limit, token-required) on AWS, or the equivalent metadata hardening on GCP/Azure. Flag scripts that disable it.

3. **Download integrity** — every `curl | bash`, package, or binary pulled at boot must be checksum- or signature-verified and fetched over TLS from a pinned source. List each unverified fetch.

4. **Least privilege at boot** — review the attached IAM role: is it scoped to only what bootstrap needs, or does it grant standing broad access the running workload inherits?

5. **First-boot user & SSH** — check for default passwords, `ssh_pwauth: true`, baked-in authorized_keys, and unrestricted sudo. Recommend key-only, no default account, scoped sudoers.

6. **Idempotency & failure mode** — does a failed bootstrap leave the instance in a half-configured, insecure state (open ports, partial firewall)? Recommend fail-closed behavior.

7. **Logging & drift** — ensure bootstrap actions are logged and that the resulting config matches the golden image baseline.

Output as: (a) a findings table (issue, severity, evidence line, fix), (b) a hardened cloud-config rewrite, (c) a short pre-merge checklist for future bootstrap changes.

Bias toward fail-closed defaults, zero embedded secrets, and verified-source-only downloads.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week