Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable only IMDSv2 by default #419

Closed
niooss-ledger opened this issue Mar 5, 2025 · 1 comment · Fixed by #424
Closed

Enable only IMDSv2 by default #419

niooss-ledger opened this issue Mar 5, 2025 · 1 comment · Fixed by #424

Comments

@niooss-ledger
Copy link

niooss-ledger commented Mar 5, 2025
edited
Loading

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

  • Yes ✅: configuring IMDS options has been available for a long time.

Is your request related to a problem? Please describe.

Amazon announced in https://aws.amazon.com/blogs/aws/amazon-ec2-instance-metadata-service-imdsv2-by-default/ :

"Effective mid-2024, newly released Amazon EC2 instance types will use only version 2 of the EC2 Instance Metadata Service (IMDSv2)."

The Terraform module which creates EC2 instances is still enabling IMDSv1 by default. Could you please modify this?

Describe the solution you'd like.

When creating an EC2 instance with Terraform, I would like its MetadataOptions.HttpTokens to be set to required instead of optional.

Describe alternatives you've considered.

I have already been adding metadata_options = { http_tokens = "required" } in my projects, but it would be better if it was the default.

Additional context

IMDSv2 has been available since 2019, with advantages listed https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ . Disabling IMDSv1 enhances the security of EC2 instances as it limits the impact of some vulnerabilities (this was described in details on AWS News Blog).

The default value is currently defined in variables.tf:

terraform-aws-ec2-instance/variables.tf

Lines 157 to 165 in 6f851d8

variable "metadata_options" {
description = "Customize the metadata options of the instance"
type = map(string)
default = {
"http_endpoint" = "enabled"
"http_put_response_hop_limit" = 1
"http_tokens" = "optional"
}
}

Several other files seem to use "optional" as the default value for metadata_options.http_tokens and could be updated to use "required":
@bryantbiggs bryantbiggs mentioned this issue Mar 30, 2025
Merged
3 tasks
@antonbabenko
Copy link
Member

This issue has been resolved in version 5.8.0 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@antonbabenko @niooss-ledger