Enforce Launch Config Http Token Imds | Vulnerability Database

aws_instance should activate session tokens for Instance Metadata Service.

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable HTTP token requirement for IMDS

1
2
3
4
5
6
7


Resources:
  GoodExample:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      MetadataOptions:
        HttpEndpoint: enabled
        HttpTokens: required

Enable HTTP token requirement for IMDS

1
2
3
4
5
6
7


resource "aws_launch_template" "good_example" {
  image_id      = "ami-005e54dee72cc1d00"
  instance_type = "t2.micro"
  metadata_options {
    http_tokens = "required"
  }
}

1
2
3
4
5
6
7


resource "aws_launch_configuration" "good_example" {
  image_id      = "ami-005e54dee72cc1d00"
  instance_type = "t2.micro"
  metadata_options {
    http_tokens = "required"
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options