Updates IMDS syntax & ECR encryption syntax | tfsec/chekov ignores
No actual changes are being made; I verified the console settings and hard coded the syntax in TF.
For IMDS, enabling the 'enforce' feature on most of the EC2 fleet will break Salt state that has a file source of s3://*. We'd definitely prefer to have imdsv2 if we could, but it's not safe to turn on in our environment at this time. Most changes concerning syntax placement for tfsec / checkov ignores.
aws_instance should activate session tokens for Instance Metadata Service. Instance does not require IMDS access to require a token
ID - aws-ec2-enforce-http-token-imds
Severity - High
Impact - Instance metadata service can be interacted with freely
Resolution - Enable HTTP token requirement for IMDS
tfsec - https://aquasecurity.github.io/tfsec/v1.26.3/checks/aws/ec2/enforce-http-token-imds/
checkov - https://docs.bridgecrew.io/docs/bc_aws_general_31
AWS - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
**Verified that all ECR Repos are already encrypted; syntax updated in TF only.**
ECR Repository should use customer managed keys to allow more control. Repository is not encrypted using KMS.
ID - aws-ecr-repository-customer-key
Severity - Low
Impact - Using AWS managed keys does not allow for fine grained control
Resolution - Use customer managed keys
tfsec - https://aquasecurity.github.io/tfsec/v1.26.3/checks/aws/ecr/repository-customer-key/
checkov - https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted
AWS - https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html
Jeremy Cooper [AFS MBP]