Support setting EC2 instance metadata to require token (IMDSv2)

[geoffroyrenaud]

Following the announce on the aws security blog about improving SSRF vuln : https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Use Case

EC2 instances can be set to require IMDSv2 only.

Proposed Solution

This can be done with running instances or by using correct IAM policy, documentation : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-options

---

This is a 🚀 Feature Request

[mauricioharley]

Hello, team. What's the progress on this? Does CDK already support directly specifying IMDSv2 for new instances, or do we need to use custom resources?

If custom is the answer, is there any example to follow?

Thanks.

[jumi-dev]

@mauricioharley As long as it is not supported in the ec2 instance construct in CDK, you can use the AwsCustomResource to call SDK method modifyInstanceMetadataOptions. There, you can set the metadata options to enforce IMDSv2.

new cr.AwsCustomResource(this, "InstanceMetadataOptions", {
  onUpdate: {
    service: "EC2",
    action: "modifyInstanceMetadataOptions",
    parameters: {
      InstanceId: myInstance.instanceId,
      HttpEndpoint: 'enabled',
      HttpTokens: 'required'
    },
    region: this.region,
    physicalResourceId: cr.PhysicalResourceId.of(myInstance.instanceId),
  },
  policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
    resources: [`arn:aws:ec2:${this.region}:${this.account}:instance/${myInstance.instanceId}`],
  }),
});

[jumi-dev]

The CloudFormation feature is missing to specifiy the instance metadata. A request is already created:
aws-cloudformation/cloudformation-coverage-roadmap#655

This issue could be flagged with label needs-cfn.

[skinny85]

The CloudFormation feature is missing to specifiy the instance metadata. A request is already created:
aws-cloudformation/aws-cloudformation-coverage-roadmap#655

This issue could be flagged with label needs-cfn.

Sir yes sir! 😃