Skip to content

security: Enforce IMDSv2 on EC2 launch template (CKV_AWS_79) #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jmfiola merged 2 commits into from
Nov 25, 2025
Merged

security: Enforce IMDSv2 on EC2 launch template (CKV_AWS_79) #31

jmfiola merged 2 commits into from
Nov 25, 2025

Conversation

@corelight-ricky
Copy link
Contributor

@corelight-ricky corelight-ricky commented Nov 21, 2025

Summary

Remediation for Checkov security check CKV_AWS_79 and CISA Near-Term Essential Security (NES) requirement for EC2 instance metadata protection.

Changes

  • Add metadata_options block to aws_launch_template.sensor_launch_template
  • Set http_tokens = 'required' to enforce IMDSv2 (session-oriented)
  • Set http_put_response_hop_limit = 1 to limit metadata service access
  • Keep http_endpoint = 'enabled' to maintain metadata availability

Security Benefits

  • ✅ Prevents SSRF attacks against instance metadata service
  • ✅ Requires PUT request before GET (session tokens)
  • ✅ Aligns with AWS security best practices
  • ✅ Satisfies CISA NES control requirements

Testing

  • ✅ Verified with Checkov security scanner (CKV_AWS_79 now passes)
  • ✅ No functional impact - IMDSv2 is backward compatible with AWS SDKs

References

Checkov Results

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	PASSED for resource: aws_launch_template.sensor_launch_template

Full scan results attached: checkov-scan-results.txt

Ricky Lin and others added 2 commits November 21, 2025 09:56
security: Enforce IMDSv2 on EC2 launch template (CKV_AWS_79)
2b0c537 
Remediation for Checkov security check CKV_AWS_79 and CISA Near-Term
Essential Security (NES) requirement for EC2 instance metadata protection.

Changes:
- Add metadata_options block to aws_launch_template.sensor_launch_template
- Set http_tokens = 'required' to enforce IMDSv2 (session-oriented)
- Set http_put_response_hop_limit = 1 to limit metadata service access
- Keep http_endpoint = 'enabled' to maintain metadata availability

Security Benefits:
- Prevents SSRF attacks against instance metadata service
- Requires PUT request before GET (session tokens)
- Aligns with AWS security best practices
- Satisfies CISA NES control requirements

References:
- https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
- https://www.cisa.gov/resources-tools/resources/near-term-essential-security-nes

Testing:
Verified with checkov security scanner before and after change.
No functional impact - IMDSv2 is backward compatible with AWS SDKs.
@corelight-ricky
refactor: Simplify metadata_options to match bastion module
06ebd72 
- Remove redundant http_put_response_hop_limit (defaults to 1)
- Match existing pattern in modules/bastion/instance.tf
- Still passes CKV_AWS_79 security check
@jmfiola jmfiola self-requested a review November 24, 2025 21:31
@jmfiola jmfiola merged commit 1c231df into corelight:main Nov 25, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmfiola jmfiola jmfiola approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@corelight-ricky @jmfiola