Instance Uses Metadata Service IMDSv1
- Query id: b9ef8c0e-1392-4df4-aa84-2e0f95681c75
- Query name: Instance Uses Metadata Service IMDSv1
- Platform: Ansible
- Severity: Low
- Category: Insecure Configurations
- CWE: 200
- Risk score: 1.0
- URL: Github
Description¶
Instance metadata can be accessed with both IMDSv1 or IMDSv2. Although, IMDSv2 service is a session-oriented service, granting additional protection against exposure of metadata information. That version should be used instead of IMDSv1 in order to mitigate those situations.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: start an instance with metadata options
amazon.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_tokens: optional
- name: create launch configuration with metadata options
community.aws.autoscaling_launch_config:
name: "public-metadataoptions-launchconfig"
image_id: ami-123456
instance_type: t3.small
tags:
Environment: Testing
metadata_options:
http_tokens: optional
state: present
- name: start an instance with legacy naming and metadata options
community.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_tokens: optional
- name: create launch configuration with legacy naming and metadata options
community.aws.ec2_lc:
name: "public-metadataoptions-launchconfig"
image_id: ami-123456
instance_type: t3.small
tags:
Environment: Testing
metadata_options:
http_tokens: optional
state: present
Positive test num. 2 - yaml file
- name: start an instance
amazon.aws.ec2_instance:
name: "public-instance2"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
- name: create launch configuration
community.aws.autoscaling_launch_config:
name: "public-instance3"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
- name: start an instance with legacy naming
community.aws.ec2_instance:
name: "public-instance4"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
- name: create launch configuration with legacy naming
community.aws.ec2_lc:
name: "public-instance5"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
Positive test num. 3 - yaml file
- name: start an instance with metadata options
amazon.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: optional
- name: create launch configuration with metadata options
community.aws.autoscaling_launch_config:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: optional
- name: start an instance with legacy naming and metadata options
community.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: optional
- name: create launch configuration with legacy naming and metadata options
community.aws.ec2_lc:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: optional
Positive test num. 4 - yaml file
- name: start an instance with metadata options
amazon.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
instance_metadata_tags: disabled
- name: create launch configuration with metadata options
community.aws.autoscaling_launch_config:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
instance_metadata_tags: disabled
- name: start an instance with legacy naming and metadata options
community.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
instance_metadata_tags: disabled
- name: create launch configuration with legacy naming and metadata options
community.aws.ec2_lc:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
instance_metadata_tags: disabled
Positive test num. 5 - yaml file
- name: start an instance with metadata options
amazon.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
- name: create launch configuration with metadata options
community.aws.autoscaling_launch_config:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
- name: start an instance with legacy naming and metadata options
community.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
- name: create launch configuration with legacy naming and metadata options
community.aws.ec2_lc:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: start an instance with metadata options
amazon.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: required
- name: create launch configuration with metadata options
community.aws.autoscaling_launch_config:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: required
- name: start an instance with legacy naming and metadata options
community.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: required
- name: create launch configuration with legacy naming and metadata options
community.aws.ec2_lc:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: enabled
http_tokens: required
Negative test num. 2 - yaml file
- name: start an instance with metadata options
amazon.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_tokens: required
- name: create launch configuration with metadata options
community.aws.autoscaling_launch_config:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_tokens: required
- name: start an instance with legacy naming and metadata options
community.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_tokens: required
- name: create launch configuration with legacy naming and metadata options
community.aws.ec2_lc:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_tokens: required
Negative test num. 3 - yaml file
- name: start an instance with metadata options
amazon.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: disabled
http_tokens: optional
- name: create launch configuration with metadata options
community.aws.autoscaling_launch_config:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: disabled
http_tokens: optional
- name: start an instance with legacy naming metadata options
community.aws.ec2_instance:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: disabled
http_tokens: optional
- name: create launch configuration with legacy naming metadata options
community.aws.ec2_lc:
name: "public-metadataoptions-instance"
vpc_subnet_id: subnet-5calable
instance_type: t3.small
image_id: ami-123456
tags:
Environment: Testing
metadata_options:
http_endpoint: disabled
http_tokens: optional