[Security] ec2/* - Require IMDSv2 (#756)

michaelwittig · web-flow · commit a721c89a5f8e · 2025-09-09T10:49:06.000+02:00
finally supported by CloudFormation after 5 years aws-cloudformation/cloudformation-coverage-roadmap#655
diff --git a/ec2/al2-mutable-private.yaml b/ec2/al2-mutable-private.yaml
@@ -1219,7 +1219,7 @@ Resources:
           - 'iam:GetSSHPublicKey'
           Resource:
           - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
-  VirtualMachine: # TODO make IMDSv2 required (waits for https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/655)
+  VirtualMachine:
     Type: 'AWS::EC2::Instance'
     Metadata:
       'AWS::CloudFormation::Init':
@@ -1471,6 +1471,8 @@ Resources:
       ImageId: !If [HasRestoreImageId, !Ref RestoreImageId, !FindInMap [!FindInMap [VersionMap, !Ref AmazonLinux2Version, Map], !Ref 'AWS::Region', AMI]]
       InstanceType: !Ref InstanceType
       KeyName: !If [HasKeyName, !Ref KeyName, !Ref 'AWS::NoValue']
+      MetadataOptions:
+        HttpTokens: required
       BlockDeviceMappings:
       - DeviceName: '/dev/xvda'
         Ebs:
diff --git a/ec2/al2-mutable-public.yaml b/ec2/al2-mutable-public.yaml
@@ -1228,7 +1228,7 @@ Resources:
           - 'iam:GetSSHPublicKey'
           Resource:
           - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
-  VirtualMachine: # TODO make IMDSv2 required (waits for https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/655)
+  VirtualMachine:
     DependsOn: EIPAssociation
     Type: 'AWS::EC2::Instance'
     Metadata:
@@ -1481,6 +1481,8 @@ Resources:
       ImageId: !If [HasRestoreImageId, !Ref RestoreImageId, !FindInMap [!FindInMap [VersionMap, !Ref AmazonLinux2Version, Map], !Ref 'AWS::Region', AMI]]
       InstanceType: !Ref InstanceType
       KeyName: !If [HasKeyName, !Ref KeyName, !Ref 'AWS::NoValue']
+      MetadataOptions:
+        HttpTokens: required
       BlockDeviceMappings:
       - DeviceName: '/dev/xvda'
         Ebs:
