Need to documentation that Paloalto AMI are not supported IMDSv2

PaloAltoNetworks / AWS-GWLB-VMSeries

This repository contains CFT and TF templates for deploying VM-Series Firewalls behind AWS Gateway Load Balancer

MIT License

55 stars 65 forks source link

Need to documentation that Paloalto AMI are not supported IMDSv2 #25

Open maljb opened 2 years ago

maljb commented 2 years ago

Documentation link

https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/terraform/README.md

Describe the problem

I think add to Prerequisites that paloalto ami are needs IMDSv1. instance are can't read user-data of the aws instance parameters when first boot if restricted only allowed IMDSv2 (for example, SCP of the AWS organization)

Suggested fix

Make a sure IMDS settings
- Paloalto AMI are need IMDSv1 for get user-data
- aws_instance.http_tokens=optional

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

0xdabbad00 commented 2 years ago

Does Palo Alto now support IMDSv2 via https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300.html ?

I do not use any PAN products, but I've been tracking this via the IMDSv2 Wall of Shame: https://github.com/SummitRoute/imdsv2_wall_of_shame

maljb commented 2 years ago

@0xdabbad00 Finally, Yes! :)

But there are some limitation. it's only supported above PAN-OS 10.2.0 version(need to upgrade from other version) and does not yet present on AWS marketplace.

mathiznogoud commented 2 years ago

I've tried to remediate using automation script through AWS CLI and it solved the IMDSv1 problem for VM-Series. Currently I'm using the latest version of PanOS