terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional
semgrep
Author
161
Download Count*
License
AWS EC2 Instance allowing use of the IMDSv1
Run Locally
Run in CI
Defintion
rules:
- id: ec2-imdsv1-optional
languages:
- hcl
message: AWS EC2 Instance allowing use of the IMDSv1
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
references:
- https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
category: security
technology:
- terraform
- aws
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
pattern-either:
- patterns:
- pattern: http_tokens = "optional"
- pattern-inside: |
metadata_options { ... }
- patterns:
- pattern: |
resource "aws_instance" "$NAME" {
...
}
- pattern-not: |
resource "aws_instance" "$NAME" {
...
metadata_options {
...
http_tokens = "required"
...
}
...
}
- pattern-not: |
resource "aws_instance" "$NAME" {
...
metadata_options {
...
http_tokens = "optional"
...
}
...
}
- pattern-not: |
resource "aws_instance" "$NAME" {
...
metadata_options {
...
http_endpoint = "disabled"
...
}
...
}
severity: ERROR
Examples
ec2-imdsv1-optional.tf
resource "aws_instance" "test-instance-bad-http-tokens-optional" {
ami = "ami-0d5eff06f840b45e9"
metadata_options {
http_endpoint = "enabled"
# ruleid: ec2-imdsv1-optional
http_tokens = "optional"
}
}
# ruleid: ec2-imdsv1-optional
resource "aws_instance" "test-instance-bad-no-metadata-options" {
ami = "ami-0d5eff06f840b45e9"
}
# ruleid: ec2-imdsv1-optional
resource "aws_instance" "test-instance-bad-v3-http-tokens-default-optional" {
ami = "ami-0d5eff06f840b45e9"
metadata_options {
http_endpoint = "enabled"
}
}
resource "aws_instance" "test-instance-bad-http-tokens-optional-v2" {
ami = "ami-0d5eff06f840b45e9"
metadata_options {
# ruleid: ec2-imdsv1-optional
http_tokens = "optional"
}
}
# ruleid: ec2-imdsv1-optional
resource "aws_instance" "test-instance-bad-all-default-values" {
ami = "ami-0d5eff06f840b45e9"
metadata_options {
instance_metadata_tags = "enabled"
}
}
# ok: ec2-imdsv1-optional
resource "aws_instance" "test-instance-good" {
ami = "ami-0d5eff06f840b45e9"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
Short Link: https://sg.run/J3BQ