aws-legacy-instance-meta¶
Ensure Instance Metadata Service Version 1 is not enabled
It is highly recommended to discontinue the usage of the legacy Instance Metadata Service Version 1 (IMDSv1)
as leaving it on could increase the chances that an SSRF
(Server-Side Request Forgery) vulnerability could be exploited to great effect. IMDSv2
provides better protection of the metadata service by mandating that extra headers are passed, which would mitigate an SSRF
in a hosted Web Application from interacting with it.
Examples¶
Insecure Example
resource "aws_launch_template" "foo" {
name = "foo"
metadata_options {
http_endpoint = "disabled"
http_tokens = "optional"
}
...
}
{
"Type" : "AWS::EC2::LaunchTemplate",
"Properties" : {
"LaunchTemplateName" : "foo",
"LaunchTemplateData" : {
"MetadataOptions" : {
"HttpEndpoint" : "disabled",
"HttpTokens" : "optional"
}
}
}
}
Secure Example
resource "aws_launch_template" "foo" {
name = "foo"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
...
}
{
"Type" : "AWS::EC2::LaunchTemplate",
"Properties" : {
"LaunchTemplateName" : "foo",
"LaunchTemplateData" : {
"MetadataOptions" : {
"HttpEndpoint" : "enabled",
"HttpTokens" : "required"
}
}
}
}