Enforce Launch Config Http Token Imds | Vulnerability Database

aws_instance should activate session tokens for Instance Metadata Service.

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS. By default aws_instance resource sets IMDS session auth tokens to be optional. To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

Impact

Instance metadata service can be interacted with freely

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable HTTP token requirement for IMDS

1
2
3
4
5
6
7
8


Resources:
  GoodExample:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      MetadataOptions:
        HttpTokens: required
        HttpEndpoint: enabled
 

Enable HTTP token requirement for IMDS

1
2
3
4
5
6
7
8


 resource "aws_launch_template" "good_example" {
	 image_id      = "ami-005e54dee72cc1d00"
	 instance_type = "t2.micro"
	 metadata_options {
	   http_tokens = "required"
	 }	
 }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options