[Documentation][Security] Enforce IMDSv2 by default & update groovy section to use up-to-date constructor #748
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
When recently setting up the EC2 plugin, I noticed the Groovy script detailed in the README used a deprecated
SlaveTemplate
constructor. The current link in the comment above theSlaveTemplate
object instantiation points to an older version of the EC2 Plugin and doesn't include the ability to specify various additional settings such asmetadataEndpointEnabled
,metadataTokensRequired
,metadataHopsLimit
,hostKeyVerificationStrategy
, etc.What does this PR do?
This PR updates the Groovy script section of the README, bringing it up-to-date. The section now reflects the setting of additional properties for
SlaveTemplate
objects and updates the associated comment link to theSlaveTemplate
's javadoc webpage.Additionally, I've updated the
metadataTokensRequired
field to be true by default, enforcing the usage of IMDSv2 over IMDSv1 out-of-the-box when configuring an AMI. Explained here on Scott Piper's (an industry-leading AWS security expert) "wall of shame" repository, IMDSv2 should be used exclusively (over IMDSv1) as an AWS security best practice. IMDSv2 was released in response to the 2019 Capital One security breach, so I believe it is imperative that:Both of the above bullets are accomplished in this particular PR.
I've ensured that these changes run without issues, producing the updated Jenkins agent configuration in a configured cloud. Please see the short video below for a visual confirmation of the settings defined in the README.
Screen.Recording.2022-06-28.at.11.02.57.PM.mov