CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00277
- creditSnyk Research Team
Description
If Instance Metadata Service v2 is not enforced, the metadata service may be vulnerable to reverse proxy/open firewall misconfigurations and server-side request forgery attacks.
How to fix?
Set aws_instance metadata_options block with the http_tokens attribute to required and http_endpoint attribute to enabled.
Example Configuration
resource "aws_instance" "allowed" {
ami = "ami-005e54dee72ccabcd"
instance_type = "t3.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
Configure the AWS::EC2::LaunchTemplate LaunchTemplateData MetadataOptions block with the HttpEndpoint attribute set to enabled and HttpTokens set to required.
Example Configuration
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an EC2 instance using Launch Template with IMDSv2 enabled
Resources:
AllowedLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: AllowedLaunchTemplate
LaunchTemplateData:
InstanceType: t2.micro
ImageId: ami-123456 # Provide a valid AMI ID for your region
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: required
AllowedEC2Instance:
Type: AWS::EC2::Instance
DependsOn: AllowedLaunchTemplate
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref AllowedLaunchTemplate
Version: !GetAtt MyLaunchTemplate.LatestVersionNumber