SageMaker Notebook instance accepts IMDSv1 Affecting Sagemaker service in AWS

Snyk CCSS

IAM/ Authentication

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AWS

Snyk IDSNYK-CC-00782
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Enforcing IMDSv2 on SageMaker Notebook instances mitigates the risk of unauthorized retrieval of instance metadata, which could lead to credential exposure and privilege escalation. IMDSv1 does not require session-oriented requests, making it more susceptible to SSRF attacks.

How to fix?

Set the instance_metadata_service_configuration.minimum_instance_metadata_service_version attribute in aws_sagemaker_notebook_instance resource to 2.

Example Configuration

resource "aws_sagemaker_notebook_instance" "allow1" {
  name          = "rule-782-ni"
  role_arn      = aws_iam_role.rule-782-role.arn
  instance_type = "ml.t2.medium"
  instance_metadata_service_configuration {
    minimum_instance_metadata_service_version = 2
  }
}

Terraform

aws_sagemaker_notebook_instance

References

Transition to using Instance Metadata Service Version 2