fix: EC2 instances should use IMDSv2 (#1159)

* fix!: EC2 instances should use IMDSv2 BREAKING CHANGE: If your application has dependencies which still rely on IDMSv1 you will need to update them before upgrading to this version of @guardian/cdk. You should upgrade your CODE infrastructure and confirm that your application still deploys and functions as expected before deploying this to PROD. For more details see: https://github.com/guardian/security-hq/blob/main/hq/markdown/guardduty-sechub-common-problems.md#ec2-instances-should-use-imdsv2. * docs: mention IMDSv2 usage in GuAutoScalingGroup docs
guardian · Mar 11, 2022 · 65260d7 · 65260d7
1 parent 7d711ba
commit 65260d7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/src/constructs/autoscaling/asg.ts b/src/constructs/autoscaling/asg.ts
@@ -27,6 +27,7 @@ export interface GuAutoScalingGroupProps
       | "minCapacity"
       | "maxCapacity"
       | "desiredCapacity"
+      | "requireImdsv2"
       | "securityGroup"
     >,
     AppIdentity,
@@ -54,6 +55,9 @@ export interface GuAutoScalingGroupProps
  *
  * If additional ingress or egress rules are required, define custom security groups and pass them in via the
  * `additionalSecurityGroups` prop.
+ *
+ * All EC2 instances provisioned via this construct will use
+ * [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).
  */
 export class GuAutoScalingGroup extends GuStatefulMigratableConstruct(GuAppAwareConstruct(AutoScalingGroup)) {
   constructor(scope: GuStack, id: string, props: GuAutoScalingGroupProps) {
@@ -83,6 +87,7 @@ export class GuAutoScalingGroup extends GuStatefulMigratableConstruct(GuAppAware
       minCapacity: minimumInstances,
       maxCapacity: maximumInstances ?? minimumInstances * 2,
       role,
+      requireImdsv2: true,
       machineImage: {
         getImage: (): MachineImageConfig => {
           return {

diff --git a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
@@ -167,6 +167,9 @@ Object {
           "Ref": "AMITestguec2app",
         },
         "InstanceType": "t4g.medium",
+        "MetadataOptions": Object {
+          "HttpTokens": "required",
+        },
         "SecurityGroups": Array [
           Object {
             "Fn::GetAtt": Array [
@@ -1056,6 +1059,9 @@ Object {
           "Ref": "AMITestguec2app",
         },
         "InstanceType": "t4g.medium",
+        "MetadataOptions": Object {
+          "HttpTokens": "required",
+        },
         "SecurityGroups": Array [
           Object {
             "Fn::GetAtt": Array [