github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/as_enforce_http_token_imds.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/as_enforce_http_token_imds.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckASIMDSAccessRequiresToken = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AWS-0130",
    14  		Aliases:    []string{"aws-autoscaling-enforce-http-token-imds"},
    15  		Provider:   providers.AWSProvider,
    16  		Service:    "ec2",
    17  		ShortCode:  "enforce-launch-config-http-token-imds",
    18  		Summary:    "aws_instance should activate session tokens for Instance Metadata Service.",
    19  		Impact:     "Instance metadata service can be interacted with freely",
    20  		Resolution: "Enable HTTP token requirement for IMDS",
    21  		Explanation: `
    22  IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
    23  By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
    24  To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
    25  `,
    26  
    27  		Links: []string{
    28  			"https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service",
    29  		},
    30  
    31  		Terraform: &scan.EngineMetadata{
    32  			GoodExamples:        terraformASEnforceHttpTokenImdsGoodExamples,
    33  			BadExamples:         terraformASEnforceHttpTokenImdsBadExamples,
    34  			Links:               terraformASEnforceHttpTokenImdsLinks,
    35  			RemediationMarkdown: terraformASEnforceHttpTokenImdsRemediationMarkdown,
    36  		},
    37  		CloudFormation: &scan.EngineMetadata{
    38  			GoodExamples:        cloudformationASEnforceHttpTokenImdsGoodExamples,
    39  			BadExamples:         cloudformationASEnforceHttpTokenImdsBadExamples,
    40  			Links:               cloudformationASEnforceHttpTokenImdsLinks,
    41  			RemediationMarkdown: cloudformationASEnforceHttpTokenImdsRemediationMarkdown,
    42  		},
    43  		Severity: severity.High,
    44  	},
    45  	func(s *state.State) (results scan.Results) {
    46  		for _, configuration := range s.AWS.EC2.LaunchConfigurations {
    47  			if !configuration.RequiresIMDSToken() && !configuration.HasHTTPEndpointDisabled() {
    48  				results.Add(
    49  					"Launch configuration does not require IMDS access to require a token",
    50  					configuration.MetadataOptions.HttpTokens,
    51  				)
    52  			} else {
    53  				results.AddPassed(&configuration)
    54  			}
    55  		}
    56  		for _, instance := range s.AWS.EC2.LaunchTemplates {
    57  			if !instance.RequiresIMDSToken() && !instance.HasHTTPEndpointDisabled() {
    58  				results.Add(
    59  					"Launch template does not require IMDS access to require a token",
    60  					instance.MetadataOptions.HttpTokens,
    61  				)
    62  			} else {
    63  				results.AddPassed(&instance)
    64  			}
    65  		}
    66  		return results
    67  	},
    68  )