HIGH
Source
Trivy/CSPM
CSPM ID
insecure-ec2-metadata-options
ID
AVD-AWS-0028

aws_instance should activate session tokens for Instance Metadata Service.

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS. By default aws_instance resource sets IMDS session auth tokens to be optional. To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

Impact

Instance metadata service can be interacted with freely

Follow the appropriate remediation steps below to resolve the issue.

Enable HTTP token requirement for IMDS

1
2
3
4
5
6
7
resource "aws_instance" "good_example" {
  ami           = "ami-005e54dee72cc1d00"
  instance_type = "t2.micro"
  metadata_options {
    http_tokens = "required"
  }
}