Instance Uses Metadata Service IMDSv1
- Query id: c306ac53-ee5b-41d3-86a9-0fd2722b4e67
- Query name: Instance Uses Metadata Service IMDSv1
- Platform: Terraform
- Severity: Low
- Category: Insecure Configurations
- CWE: 200
- Risk score: 1.0
- URL: Github
Description¶
Instance metadata can be accessed with both IMDSv1 or IMDSv2. Although, IMDSv2 service is a session-oriented service, granting additional protection against exposure of metadata information. That version should be used instead of IMDSv1 in order to mitigate those situations.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "positive1_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_tokens = "optional"
}
}
resource "aws_launch_configuration" "positive1_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_tokens = "optional"
}
}
resource "aws_launch_template" "positive1_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_tokens = "optional"
}
}
Positive test num. 2 - tf file
provider "aws" {
region = "us-east-1"
}
module "positive10_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "enabled"
}
}
module "positive10_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "enabled"
}
}
Positive test num. 3 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "positive2_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
}
}
resource "aws_launch_configuration" "positive2_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
}
}
resource "aws_launch_template" "positive2_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
}
}
Positive test num. 4 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "positive3_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
instance_metadata_tags = "enabled"
}
}
resource "aws_launch_configuration" "positive3_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
instance_metadata_tags = "enabled"
}
}
resource "aws_launch_template" "positive3_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
instance_metadata_tags = "enabled"
}
}
Positive test num. 5 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "positive4_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
}
resource "aws_launch_configuration" "positive4_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
}
resource "aws_launch_template" "positive4_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
}
Positive test num. 6 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "positive5_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
}
}
resource "aws_launch_configuration" "positive5_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
}
}
resource "aws_launch_template" "positive5_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
}
}
Positive test num. 7 - tf file
provider "aws" {
region = "us-east-1"
}
module "positive6_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
metadata_options {
http_tokens = "optional"
}
}
module "positive6_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
metadata_options {
http_tokens = "optional"
}
}
Positive test num. 8 - tf file
provider "aws" {
region = "us-east-1"
}
module "positive7_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
}
}
module "positive7_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
}
}
Positive test num. 9 - tf file
provider "aws" {
region = "us-east-1"
}
module "positive8_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
metadata_options {
instance_metadata_tags = "enabled"
}
}
module "positive8_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
metadata_options {
instance_metadata_tags = "enabled"
}
}
Positive test num. 10 - tf file
provider "aws" {
region = "us-east-1"
}
module "positive9_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
image_id = "ami-12345678"
instance_type = "t2.micro"
}
module "positive9_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
image_id = "ami-12345678"
instance_type = "t2.micro"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "negative1_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
resource "aws_launch_configuration" "negative1_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
resource "aws_launch_template" "negative1_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
Negative test num. 2 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "negative2_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_tokens = "required"
}
}
resource "aws_launch_configuration" "negative2_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_tokens = "required"
}
}
resource "aws_launch_template" "negative2_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_tokens = "required"
}
}
Negative test num. 3 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "negative3_1" {
ami = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "disabled"
http_tokens = "optional"
}
}
resource "aws_launch_configuration" "negative3_2" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "disabled"
http_tokens = "optional"
}
}
resource "aws_launch_template" "negative3_3" {
image_id = "ami-12345678"
instance_type = "t2.micro"
metadata_options {
http_endpoint = "disabled"
http_tokens = "optional"
}
}
Negative test num. 4 - tf file
provider "aws" {
region = "us-east-1"
}
module "negative4_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
module "negative4_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
Negative test num. 5 - tf file
provider "aws" {
region = "us-east-1"
}
module "negative5_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
metadata_options {
http_tokens = "required"
}
}
module "negative5_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
metadata_options {
http_tokens = "required"
}
}
Negative test num. 6 - tf file
provider "aws" {
region = "us-east-1"
}
module "negative6_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "disabled"
http_tokens = "optional"
}
}
module "negative6_launch_config" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 6.0"
metadata_options {
http_endpoint = "disabled"
http_tokens = "optional"
}
}