terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional

profile photo of semgrepsemgrep
Author
161
Download Count*
LGPL Commons Clause
License

AWS EC2 Instance allowing use of the IMDSv1

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: ec2-imdsv1-optional
    languages:
      - hcl
    message: AWS EC2 Instance allowing use of the IMDSv1
    metadata:
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      references:
        - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Server-Side Request Forgery (SSRF)
    pattern-either:
      - patterns:
          - pattern: http_tokens = "optional"
          - pattern-inside: |
              metadata_options { ... }
      - patterns:
          - pattern: |
              resource "aws_instance" "$NAME" {
                ...
              }
          - pattern-not: |
              resource "aws_instance" "$NAME" {
                ...
                metadata_options {
                  ...
                  http_tokens = "required"
                  ...
                }
                ...
              }
          - pattern-not: |
              resource "aws_instance" "$NAME" {
                ...
                metadata_options {
                  ...
                  http_tokens = "optional"
                  ...
                }
                ...
              }
          - pattern-not: |
              resource "aws_instance" "$NAME" {
                ...
                metadata_options {
                  ...
                  http_endpoint = "disabled"
                  ...
                }
                ...
              }
    severity: ERROR

Examples

ec2-imdsv1-optional.tf

resource "aws_instance" "test-instance-bad-http-tokens-optional" {
  ami = "ami-0d5eff06f840b45e9"

  metadata_options {
    http_endpoint = "enabled"
    # ruleid: ec2-imdsv1-optional
    http_tokens = "optional"
  }
}

# ruleid: ec2-imdsv1-optional
resource "aws_instance" "test-instance-bad-no-metadata-options" {
  ami = "ami-0d5eff06f840b45e9"
}

# ruleid: ec2-imdsv1-optional
resource "aws_instance" "test-instance-bad-v3-http-tokens-default-optional" {
  ami = "ami-0d5eff06f840b45e9"
  metadata_options {
    http_endpoint = "enabled"
  }
}

resource "aws_instance" "test-instance-bad-http-tokens-optional-v2" {
  ami = "ami-0d5eff06f840b45e9"
  metadata_options {
    # ruleid: ec2-imdsv1-optional
    http_tokens = "optional"
  }
}

# ruleid: ec2-imdsv1-optional
resource "aws_instance" "test-instance-bad-all-default-values" {
  ami = "ami-0d5eff06f840b45e9"
  metadata_options {
    instance_metadata_tags = "enabled"
  }
}

# ok: ec2-imdsv1-optional
resource "aws_instance" "test-instance-good" {
  ami = "ami-0d5eff06f840b45e9"
  metadata_options {
    http_endpoint = "enabled"
    http_tokens = "required"
  }
}