enforce-http-token-imds
Default Severity: high
Explanation
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance
resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options
block and its http_tokens
variable set to required
.
Possible Impact
Instance metadata service can be interacted with freely
Suggested Resolution
Enable HTTP token requirement for IMDS
Insecure Example
The following example will fail the aws-ec2-enforce-http-token-imds check.
resource "aws_instance" "bad_example" {
ami = "ami-005e54dee72cc1d00"
instance_type = "t2.micro"
}
Secure Example
The following example will pass the aws-ec2-enforce-http-token-imds check.
resource "aws_instance" "good_example" {
ami = "ami-005e54dee72cc1d00"
instance_type = "t2.micro"
metadata_options {
http_tokens = "required"
}
}