feat(ec2): add aspect to require imdsv2 (#16051)

Partially fixes: #5137
Related PR: #16052

**Note:** This PR and the above related PR have common code that has been duplicated across these two PRs because I decided it made more sense for these Aspects to be in the same package with the constructs they work with. However, it means I had to duplicate some of the base class code across the two PRs. Looking for an opinion on what's better here:
- Should we keep it as is (2 PRs) so these Aspects are cleanly separated? or,
- Does it make sense to either combine them in some way (e.g. a new package `@aws-cdk/aspects`) or have one reference the other (maybe the AutoScalingGroup aspect can reference the code in this PR since it already depends on this package).

### Changes
Adds an aspect that can enable/disable IMDSv1 on Instances and Launch Templates.

### Testing
Added unit tests

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-ec2/README.md

@@ -994,6 +994,33 @@ instance.userData.addCommands(
 );
 ```
 
+### Configuring Instance Metadata Service (IMDS)
+
+#### Toggling IMDSv1
+
+You can configure [EC2 Instance Metadata Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) options to either
+allow both IMDSv1 and IMDSv2 or enforce IMDSv2 when interacting with the IMDS.
+
+To do this for a single `Instance`, you can use the `requireImdsv2` property.
+The example below demonstrates IMDSv2 being required on a single `Instance`:
+
+```ts
+new ec2.Instance(this, 'Instance', {
+  requireImdsv2: true,
+  // ...
+});
+```
+
+You can also use the either the `InstanceRequireImdsv2Aspect` for EC2 instances or the `LaunchTemplateRequireImdsv2Aspect` for EC2 launch templates
+to apply the operation to multiple instances or launch templates, respectively.
+
+The following example demonstrates how to use the `InstanceRequireImdsv2Aspect` to require IMDSv2 for all EC2 instances in a stack:
+
+```ts
+const aspect = new ec2.InstanceRequireImdsv2Aspect();
+Aspects.of(stack).add(aspect);
+```
+
 ## VPC Flow Logs
 
 VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination. (<https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html>).

packages/@aws-cdk/aws-ec2/lib/aspects/index.ts

@@ -0,0 +1 @@
+export * from './require-imdsv2-aspect';

packages/@aws-cdk/aws-ec2/lib/aspects/require-imdsv2-aspect.ts

@@ -0,0 +1,150 @@
+import * as cdk from '@aws-cdk/core';
+import { CfnLaunchTemplate } from '../ec2.generated';
+import { Instance } from '../instance';
+import { LaunchTemplate } from '../launch-template';
+
+/**
+ * Properties for `RequireImdsv2Aspect`.
+ */
+interface RequireImdsv2AspectProps {
+  /**
+   * Whether warning annotations from this Aspect should be suppressed or not.
+   *
+   * @default - false
+   */
+  readonly suppressWarnings?: boolean;
+}
+
+/**
+ * Base class for Aspect that makes IMDSv2 required.
+ */
+abstract class RequireImdsv2Aspect implements cdk.IAspect {
+  protected readonly suppressWarnings: boolean;
+
+  constructor(props?: RequireImdsv2AspectProps) {
+    this.suppressWarnings = props?.suppressWarnings ?? false;
+  }
+
+  abstract visit(node: cdk.IConstruct): void;
+
+  /**
+   * Adds a warning annotation to a node, unless `suppressWarnings` is true.
+   *
+   * @param node The scope to add the warning to.
+   * @param message The warning message.
+   */
+  protected warn(node: cdk.IConstruct, message: string) {
+    if (this.suppressWarnings !== true) {
+      cdk.Annotations.of(node).addWarning(`${RequireImdsv2Aspect.name} failed on node ${node.node.id}: ${message}`);
+    }
+  }
+}
+
+/**
+ * Properties for `InstanceRequireImdsv2Aspect`.
+ */
+export interface InstanceRequireImdsv2AspectProps extends RequireImdsv2AspectProps {
+  /**
+   * Whether warnings that would be raised when an Instance is associated with an existing Launch Template
+   * should be suppressed or not.
+   *
+   * You can set this to `true` if `LaunchTemplateImdsAspect` is being used alongside this Aspect to
+   * suppress false-positive warnings because any Launch Templates associated with Instances will still be covered.
+   *
+   * @default - false
+   */
+  readonly suppressLaunchTemplateWarning?: boolean;
+}
+
+/**
+ * Aspect that applies IMDS configuration on EC2 Instance constructs.
+ *
+ * This aspect configures IMDS on an EC2 instance by creating a Launch Template with the
+ * IMDS configuration and associating that Launch Template with the instance. If an Instance
+ * is already associated with a Launch Template, a warning will (optionally) be added to the
+ * construct node and it will be skipped.
+ *
+ * To cover Instances already associated with Launch Templates, use `LaunchTemplateImdsAspect`.
+ */
+export class InstanceRequireImdsv2Aspect extends RequireImdsv2Aspect {
+  private readonly suppressLaunchTemplateWarning: boolean;
+
+  constructor(props?: InstanceRequireImdsv2AspectProps) {
+    super(props);
+    this.suppressLaunchTemplateWarning = props?.suppressLaunchTemplateWarning ?? false;
+  }
+
+  visit(node: cdk.IConstruct): void {
+    if (!(node instanceof Instance)) {
+      return;
+    }
+    if (node.instance.launchTemplate !== undefined) {
+      this.warn(node, 'Cannot toggle IMDSv1 because this Instance is associated with an existing Launch Template.');
+      return;
+    }
+
+    const name = `${node.node.id}LaunchTemplate`;
+    const launchTemplate = new CfnLaunchTemplate(node, 'LaunchTemplate', {
+      launchTemplateData: {
+        metadataOptions: {
+          httpTokens: 'required',
+        },
+      },
+      launchTemplateName: name,
+    });
+    node.instance.launchTemplate = {
+      launchTemplateName: name,
+      version: launchTemplate.getAtt('LatestVersionNumber').toString(),
+    };
+  }
+
+  protected warn(node: cdk.IConstruct, message: string) {
+    if (this.suppressLaunchTemplateWarning !== true) {
+      super.warn(node, message);
+    }
+  }
+}
+
+/**
+ * Properties for `LaunchTemplateRequireImdsv2Aspect`.
+ */
+export interface LaunchTemplateRequireImdsv2AspectProps extends RequireImdsv2AspectProps {}
+
+/**
+ * Aspect that applies IMDS configuration on EC2 Launch Template constructs.
+ *
+ * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata-metadataoptions.html
+ */
+export class LaunchTemplateRequireImdsv2Aspect extends RequireImdsv2Aspect {
+  constructor(props?: LaunchTemplateRequireImdsv2AspectProps) {
+    super(props);
+  }
+
+  visit(node: cdk.IConstruct): void {
+    if (!(node instanceof LaunchTemplate)) {
+      return;
+    }
+
+    const launchTemplate = node.node.tryFindChild('Resource') as CfnLaunchTemplate;
+    const data = launchTemplate.launchTemplateData;
+    if (cdk.isResolvableObject(data)) {
+      this.warn(node, 'LaunchTemplateData is a CDK token.');
+      return;
+    }
+
+    const metadataOptions = (data as CfnLaunchTemplate.LaunchTemplateDataProperty).metadataOptions;
+    if (cdk.isResolvableObject(metadataOptions)) {
+      this.warn(node, 'LaunchTemplateData.MetadataOptions is a CDK token.');
+      return;
+    }
+
+    const newData: CfnLaunchTemplate.LaunchTemplateDataProperty = {
+      ...data,
+      metadataOptions: {
+        ...metadataOptions,
+        httpTokens: 'required',
+      },
+    };
+    launchTemplate.launchTemplateData = newData;
+  }
+}

packages/@aws-cdk/aws-ec2/lib/index.ts

@@ -1,3 +1,4 @@
+export * from './aspects';
 export * from './bastion-host';
 export * from './connections';
 export * from './cfn-init';

packages/@aws-cdk/aws-ec2/lib/instance.ts

@@ -1,8 +1,9 @@
 import * as crypto from 'crypto';
 import * as iam from '@aws-cdk/aws-iam';
 
-import { Annotations, Duration, Fn, IResource, Lazy, Resource, Stack, Tags } from '@aws-cdk/core';
+import { Annotations, Aspects, Duration, Fn, IResource, Lazy, Resource, Stack, Tags } from '@aws-cdk/core';
 import { Construct } from 'constructs';
+import { InstanceRequireImdsv2Aspect } from './aspects';
 import { CloudFormationInit } from './cfn-init';
 import { Connections, IConnectable } from './connections';
 import { CfnInstance } from './ec2.generated';
@@ -230,6 +231,13 @@ export interface InstanceProps {
    * @default - default options
    */
   readonly initOptions?: ApplyCloudFormationInitOptions;
+
+  /**
+   * Whether IMDSv2 should be required on this instance.
+   *
+   * @default - false
+   */
+  readonly requireImdsv2?: boolean;
 }
 
 /**
@@ -408,6 +416,10 @@ export class Instance extends Resource implements IInstance {
         return `${originalLogicalId}${digest}`;
       },
     }));
+
+    if (props.requireImdsv2) {
+      Aspects.of(this).add(new InstanceRequireImdsv2Aspect());
+    }
   }
 
   /**

packages/@aws-cdk/aws-ec2/lib/launch-template.ts

@@ -12,8 +12,10 @@ import {
   TagType,
   Tags,
   Token,
+  Aspects,
 } from '@aws-cdk/core';
 import { Construct } from 'constructs';
+import { LaunchTemplateRequireImdsv2Aspect } from '.';
 import { Connections, IConnectable } from './connections';
 import { CfnLaunchTemplate } from './ec2.generated';
 import { InstanceType } from './instance-types';
@@ -332,6 +334,13 @@ export interface LaunchTemplateProps {
    * @default No security group is assigned.
    */
   readonly securityGroup?: ISecurityGroup;
+
+  /**
+   * Whether IMDSv2 should be required on launched instances.
+   *
+   * @default - false
+   */
+  readonly requireImdsv2?: boolean;
 }
 
 /**
@@ -637,6 +646,10 @@ export class LaunchTemplate extends Resource implements ILaunchTemplate, iam.IGr
     this.latestVersionNumber = resource.attrLatestVersionNumber;
     this.launchTemplateId = resource.ref;
     this.versionNumber = Token.asString(resource.getAtt('LatestVersionNumber'));
+
+    if (props.requireImdsv2) {
+      Aspects.of(this).add(new LaunchTemplateRequireImdsv2Aspect());
+    }
   }
 
   /**