aws_cdk.aws_ec2 NatInstanceProvider: missing require_imdsv2

[iamgabeortiz]

Describe the feature

Can we get the require_imdsv2 parameter added to the aws_cdk.aws_ec2 NatInstanceProvider resource?
This was resolved for EC2 and ASG here: Support setting EC2 instance metadata to require token (IMDSv2) #5137

#16051
#16052

Use Case

The AWS Foundational Security Best Practices v1.0.0 for Security Hub will produce a finding for the NAT instances under EC2.8: EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.61.1 (build d319d9c)

Environment details (OS name and version, etc.)

WSL: Ubuntu 20.04.5 LTS (Focal Fossa)

[peterwoodworth]

Thanks for the request, we could certainly add the option to specify this, would just need to add the setting and a way to toggle it here

aws-cdk/packages/@aws-cdk/aws-ec2/lib/nat.ts

Lines 303 to 312 in fb67c77

	const natInstance = new Instance(sub, 'NatInstance', {
	instanceType: this.props.instanceType,
	machineImage,
	sourceDestCheck: false, // Required for NAT
	vpc: options.vpc,
	vpcSubnets: { subnets: [sub] },
	securityGroup: this._securityGroup,
	role,
	keyName: this.props.keyName,
	});

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

[davemssavage]

I've just encountered this issue, it'd be nice to have a fix as per the merge request that appears to have got dropped, in the interim adding the following:

cdk.Aspects.of(stack).add(new ec2.InstanceRequireImdsv2Aspect())

to my app seems to work as a catch all to ensure the nat instance is set to IMDSv2: Required