Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new check: Enforce IMDSv2 in EC2 instance and Launch Configuration #152

Closed
jonjozwiak opened this issue Mar 25, 2020 · 6 comments
Closed

Add new check: Enforce IMDSv2 in EC2 instance and Launch Configuration #152

jonjozwiak opened this issue Mar 25, 2020 · 6 comments
Labels
fast-lane New check contributions good first issue Good for newcomers

Comments

@jonjozwiak
Copy link
Contributor

Blog Post Here: https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

CloudFormation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata-metadataoptions.html
- Doesn’t appear possible for individual EC2 instance…

Terraform: It does not appear configurable, but suggest further research.
https://www.terraform.io/docs/providers/aws/r/launch_template.html
https://www.terraform.io/docs/providers/aws/r/instance.html
@schosterbarak schosterbarak added good first issue Good for newcomers fast-lane New check contributions labels Mar 25, 2020
@KevinHock
Copy link
Contributor

KevinHock commented Jul 23, 2020
edited
Loading

This would be a great feature to have!

For Terraform, I think we would do

if (
	metadata_options["http_tokens"] == "required"
	or
	metadata_options["http_endpoint"] == "disabled"
):
    # return and don't alert...
# otherwise, alert

from https://www.terraform.io/docs/providers/aws/r/instance.html#metadata-options

@KevinHock KevinHock mentioned this issue Sep 5, 2020
Merged
@stale
Copy link

stale bot commented Mar 23, 2021

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

@stale stale bot added the stale label Mar 23, 2021
@KevinHock
Copy link
Contributor

This is kinda done as far as Terraform goes, re: my commit above ref'ing this issue

What should we do for cloudformation?

@stale stale bot removed the stale label Mar 23, 2021
nimrodkor pushed a commit that referenced this issue Apr 8, 2021
@guy-suli
CKV_AZURE_104 - Ensure that Azure Data factory public network access …
2fa20b4 
…is disabled (#152)

* Add check CKV_AZURE_101 - Ensure that Azure Cosmos DB disables public network access

* Add check CKV_AZURE_104 - Ensure that Azure Data factory public network access is disabled

* CKV_AZURE_104 - Ensure that Azure Data factory public network access is disabled
nimrodkor pushed a commit that referenced this issue Apr 8, 2021
@guy-suli @actions-user
CKV_AZURE_104 - Ensure that Azure Data factory public network access …
250439f 
…is disabled (#152)

* Add check CKV_AZURE_101 - Ensure that Azure Cosmos DB disables public network access

* Add check CKV_AZURE_104 - Ensure that Azure Data factory public network access is disabled

* CKV_AZURE_104 - Ensure that Azure Data factory public network access is disabled
@rollwagen
Copy link

FYI - as far Cloudformation goes, it seems this is still not possible on an EC2 instance level; still marked as 'open' on the roadmap. For details see aws-cloudformation/cloudformation-coverage-roadmap#655

@nimrodkor
Copy link
Contributor

I believe this has been implemented for cloudformation and terraform. If someone disagrees - please reopen!

@rollwagen
Copy link

@nimrodkor - thanks for the update and looking into this.
In cloudformation the checkov check is for a (EC2-) LaunchConfiguration, this is at the moment still the workaround for setting IMDSv2; still can't do directly on and EC2 resource type (issue in cloudformation repo on this is still open, see link. So technically not fully closed as title says "Enforce IMDSv2 in EC2 instance", however, practically, at the moment, I believe there's not much more that can be done (for cloudformation).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fast-lane New check contributions good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@KevinHock @jonjozwiak @schosterbarak @rollwagen @nimrodkor