forked from aws-ia/terraform-aws-networkfirewall
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlaunch_template_imdsv2_tfchecks.json
39 lines (37 loc) · 1.31 KB
/
launch_template_imdsv2_tfchecks.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{
"checks": [
{
"code": "CUS001",
"description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
"impact": "Instance metadata service can be interacted with freely",
"resolution": "Enable HTTP token requirement for IMDS",
"requiredTypes": [
"resource"
],
"requiredLabels": [
"aws_launch_template"
],
"severity": "CRITICAL",
"matchSpec": {
"action": "isPresent",
"name": "metadata_options",
"subMatch": {
"action": "and",
"predicateMatchSpec": [
{
"action": "equals",
"name": "http_tokens",
"value": "required"
}
]
}
},
"errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
"relatedLinks": [
"https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options",
"https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
]
}
]
}