Result #3 HIGH Launch template does not require IMDS access to require a token
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
.terraform/modules/nat_instance/main.tf Lines 67-115
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
67 │ resource "aws_launch_template" "this" {
68 │ name_prefix = var.name
69 │ image_id = var.image_id != "" ? var.image_id : data.aws_ami.this.id
70 │ key_name = var.key_name
71 │
72 │ iam_instance_profile {
73 │ arn = aws_iam_instance_profile.this.arn
74 │ }
75 │
76 │ network_interfaces {
77 │ associate_public_ip_address = true
78 │ security_groups = [aws_security_group.this.id]
79 │ delete_on_termination = true
80 │ }
81 │
82 │ tag_specifications {
83 │ resource_type = "instance"
84 │ tags = local.common_tags
85 │ }
86 │
87 │ user_data = base64encode(join("\n", [
88 │ "#cloud-config",
89 │ yamlencode({
90 │ # https://cloudinit.readthedocs.io/en/latest/topics/modules.html
91 │ write_files : concat([
92 │ {
93 │ path : "/opt/nat/runonce.sh",
94 │ content : templatefile("${path.module}/runonce.sh", { eni_id = aws_network_interface.this.id }),
95 │ permissions : "0755",
96 │ },
97 │ {
98 │ path : "/opt/nat/snat.sh",
99 │ content : file("${path.module}/snat.sh"),
100 │ permissions : "0755",
101 │ },
102 │ {
103 │ path : "/etc/systemd/system/snat.service",
104 │ content : file("${path.module}/snat.service"),
105 │ },
106 │ ], var.user_data_write_files),
107 │ runcmd : concat([
108 │ ["/opt/nat/runonce.sh"],
109 │ ], var.user_data_runcmd),
110 │ })
111 │ ]))
112 │
113 │ description = "Launch template for NAT instance ${var.name}"
114 │ tags = local.common_tags
115 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID aws-autoscaling-enforce-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS
More Information
- https://aquasecurity.github.io/tfsec/v1.8.0/checks/aws/autoscaling/enforce-http-token-imds/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options