Support setting EC2 instance metadata to require token (IMDSv2) #5137
Comments
geoffroyrenaud
added
feature-request
|
Hello, team. What's the progress on this? Does CDK already support directly specifying IMDSv2 for new instances, or do we need to use custom resources? If custom is the answer, is there any example to follow? Thanks. |
|
@mauricioharley As long as it is not supported in the ec2 instance construct in CDK, you can use the AwsCustomResource to call SDK method modifyInstanceMetadataOptions. There, you can set the metadata options to enforce IMDSv2. new cr.AwsCustomResource(this, "InstanceMetadataOptions", {
onUpdate: {
service: "EC2",
action: "modifyInstanceMetadataOptions",
parameters: {
InstanceId: myInstance.instanceId,
HttpEndpoint: 'enabled',
HttpTokens: 'required'
},
region: this.region,
physicalResourceId: cr.PhysicalResourceId.of(myInstance.instanceId),
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: [`arn:aws:ec2:${this.region}:${this.account}:instance/${myInstance.instanceId}`],
}),
}); |
|
The CloudFormation feature is missing to specifiy the instance metadata. A request is already created: This issue could be flagged with label needs-cfn. |
skinny85
added
the
needs-cfn
Sir yes sir! 😃 |
|
Can this issue be updated with the current status? I'm interested in using higher level constructs (like the ASG) to set metadata options, but I'm not seeing a path forward after navigating through the various linked issues. Is this still blocked by CloudFormation? The following docs appear to show it's now supported: |
rix0rrr
added
good first issue
|
@richarddotcodes you are right this can now be implemented. This means you can now use the regular Escape Hatching mechanism of CDK to configure these options, or someone can submit a PR to add the feature. Example escape hatching code: const launchConfig = autoScalingGroup.node.tryFindChild('LaunchConfig') as autoscaling.CfnLaunchConfiguration;
launchConfig.metadataOptions = { httpTokens: 'required' };
// OR
launchConfig.addPropertyOverride('MetadataOptions', {
HttpTokens: 'required',
}); |
|
An Aspect that applies the change for all ASGs and EC2 instances would be a welcome addition, but those could equally well be two different PRs. |
|
I'd be happy to tackle this one. I agree that applying the change at larger scopes could be different PRs, so if all goes well, maybe I can take those later too. |
That looks like for EC2s created by ASGs only. Regular EC2 instances seem to still be missing this feature and aws-cloudformation/cloudformation-coverage-roadmap#655 is still open. |
|
I've been able to create an EC2 with IMDSv2 using launch templates. const launchTemplate = new ec2.LaunchTemplate(this, 'LaunchTemplate', {});
// The LaunchTemplate construct doesn't support setting the metadata options, so escape hatch time...
const CfnLaunchTemplate = launchTemplate.node.defaultChild as ec2.CfnLaunchTemplate;
CfnLaunchTemplate.launchTemplateData = {
metadataOptions: {
httpTokens: 'required',
}
}
const myEC2= new ec2.Instance(this, 'Instance', {
vpc,
// etc.
}
// The Instance construct doesn't support setting the launch template, so break out _again_...
const CfnMyEC2 = myEC2.node.defaultChild as ec2.CfnInstance;
CfnMyEC2.launchTemplate = {
launchTemplateId: launchTemplate.launchTemplateId,
version: launchTemplate.versionNumber,
} |
|
I've got a change ready that allows setting the metadata options in the autoscaling group construct. I created an interface to wrap the options and am passing it in via the asg props. It made sense to put this interface in the instance construct in aws-ec2, since it's a property of the instances and not asg. The issue I'm facing is that the ec2 tests fail awslint because I'm exporting this interface (for use in aws-autoscaling), but not using it directly in the instance class in instance.ts. Any thoughts on my approach? |
|
Checking in again. If I could get some feedback to unblock this change, it would be much appreciated. Thanks! |
|
I also need this for
Thought about this again, maybe it makes more sense to have different Aspects that achieve this per construct supported. Then, they could just exist in the corresponding service construct library. Instead of my original idea of having a single Aspect to handle all constructs that support the option to require IMDSv2, we'll just have one for each construct listed above. I think I'll start with this idea and create a PR, then go from there. |
Partially fixes: #5137 Related PR: #16051 **Note:** I have some concerns about duplicated code between this and the above linked PR. Please see that PR for more details. ### Changes Adds an aspect that can enable/disable IMDSv1 on AutoScalingGroups ### Testing Added unit tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Partially fixes: #5137 Related PR: #16052 **Note:** This PR and the above related PR have common code that has been duplicated across these two PRs because I decided it made more sense for these Aspects to be in the same package with the constructs they work with. However, it means I had to duplicate some of the base class code across the two PRs. Looking for an opinion on what's better here: - Should we keep it as is (2 PRs) so these Aspects are cleanly separated? or, - Does it make sense to either combine them in some way (e.g. a new package `@aws-cdk/aspects`) or have one reference the other (maybe the AutoScalingGroup aspect can reference the code in this PR since it already depends on this package). ### Changes Adds an aspect that can enable/disable IMDSv1 on Instances and Launch Templates. ### Testing Added unit tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Partially fixes: aws#5137 Related PR: aws#16051 **Note:** I have some concerns about duplicated code between this and the above linked PR. Please see that PR for more details. ### Changes Adds an aspect that can enable/disable IMDSv1 on AutoScalingGroups ### Testing Added unit tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Partially fixes: aws#5137 Related PR: aws#16052 **Note:** This PR and the above related PR have common code that has been duplicated across these two PRs because I decided it made more sense for these Aspects to be in the same package with the constructs they work with. However, it means I had to duplicate some of the base class code across the two PRs. Looking for an opinion on what's better here: - Should we keep it as is (2 PRs) so these Aspects are cleanly separated? or, - Does it make sense to either combine them in some way (e.g. a new package `@aws-cdk/aspects`) or have one reference the other (maybe the AutoScalingGroup aspect can reference the code in this PR since it already depends on this package). ### Changes Adds an aspect that can enable/disable IMDSv1 on Instances and Launch Templates. ### Testing Added unit tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Following the announce on the aws security blog about improving SSRF vuln : https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
Use Case
EC2 instances can be set to require IMDSv2 only.
Proposed Solution
This can be done with running instances or by using correct IAM policy, documentation : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-options
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: