search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.1k stars 53 forks source link

AWS::EC2::Instance - MetadataOptions #655

Open michaelwittig opened 3 years ago

michaelwittig commented 3 years ago

1. AWS::EC2::Instance-MetadataOptions

2. Scope of request

Add support to configure the EC2 IMDS to support:

3. Expected behavior

Allow CloudFormation to launch EC2 instance with IMDS disabled or restricted to v2.

5. Helpful Links to speed up research and evaluation

6. Category

  1. Compute (EC2, ECS, EKS, Lambda...)

7. Context

related #273 for for WS::AutoScaling::LaunchConfiguration

0xdabbad00 commented 2 years ago

Looks like this is now possible via Launch Templates: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-metadataoptions

mildebrandt commented 2 years ago

@0xdabbad00 Right, that has been true for quite a while. This issue is to add it to the AWS::EC2::Instance type: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html

coreylane commented 2 years ago

Any update?

yoroto commented 2 years ago

Any update?

fortygigserver commented 2 years ago

This would also be useful to set the feature "instance-metadata-tags" to enabled

r-azh commented 2 years ago

I agree this is a useful feature to set the feature "instance-metadata-tags" to enabled.

kenlawrie1 commented 2 years ago

Hi, any update on this? Having to use launch templates to enable ImdsV2 on EC2 instance is causing us issues. Launch template don't allow tags with spaces, and our SCP policies fail if we enforce both tags and ImdsV2 at the same time, hopefully when this CloudFormation limitation is resolved.

edc1934 commented 1 year ago

Any updates? Also need this feature.

JohnPeacockMessageSystems commented 1 year ago

Going on two years for this trivial feature. I'm still trying to use Service Catalog, which requires vanilla CloudFormation. The InstanceMetadataTags option is missing from Launch Templates, so I can't use that either.

donwalter commented 1 year ago

Add me to the list of people who would like this feature added.

torabTech commented 1 year ago

Hi everyone,

Is there any example of enabling IMDSv2 in Autoscaling:Launchconfiguration cloudformation template? I would highly appreciate any reference or example.

otakusid commented 1 year ago

@torabTech HttpPutResponseHopLimit set to 2 is required because the IMDSv2 will bring the extra hop in communication with metadata service

"LaunchTemplate":{
  "Properties":{
    "LaunchTemplateData":{
      "MetadataOptions":{
        "HttpTokens":"required",
        "HttpPutResponseHopLimit":2
      }
    }
  },
  "Type":"AWS::EC2::LaunchTemplate"
}

"AutoScalingGroup": {
  "Properties": {
    "LaunchTemplate": {
      "LaunchTemplateId": {
        "Ref": "LaunchTemplate"
      },

      "Version": {
        "Fn::GetAtt": [
          "LaunchTemplate",
          "LatestVersionNumber"
        ]
      }
    }
  "Type": "AWS::AutoScaling::AutoScalingGroup"
}
cs-dww commented 1 year ago

Adding a +1 here. We need this option as well.

AWS - What if we said Pretty Please?

Rob-El commented 1 year ago

IMDSv2 is also part of the Security Hub standards - EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2). Our security score gets dinged when we don't use IMDSv2, but we're also supposed to use code to provision resources. This creates a catch-22 situation. I hope this helps as far as prioritizing. Thank you!

siebrand commented 1 year ago

@Rob-El : use a launch template for your instance with only those parts that you need, and include that in the instance. It also allows you to tag network interfaces and volumes as a bonus. But beware of changes in the launch template once deployed, as that can cause a redeploy.

Rob-El commented 1 year ago

@siebrand Thanks for the tip! I do understand that launch templates are a workaround, I read through all the previous comments. In my opinion, Launch Templates adds a cumbersome amount of config, for various reasons.

Also, redeployment is highly undesirable in our environment, as we have a lot of 3rd-party, static applications that are long-lived. (We create the server, install the OS, hand it off to another team.) Over time we add additional tags, add a volume, etc. If any of those operations (or the dozen other reasons we update a CF template) caused a re-deploy, it would wipe the app and force a restore from backups, etc.

I'm happy to use ELB, ASGs, and Launch Templates for their own particular use cases, but these applications are not designed for use in those environments. Thanks again!

josephhernandezphd commented 1 year ago

Extremely useful option. This should be roadmapped.

smorgant commented 1 year ago

Same here, having to rewrite all my template to be able to get "instance-metadata-tags" to enabled, 2 years seems a long time for this to be at minimum reviewed.

kylegibson commented 1 year ago

Ugh

kz974 commented 1 year ago

Oh yes please. Been wishing for this since 2019!

anjanasilva commented 10 months ago

Have you guys realised you can disable IMDSV1 in a running AMI?

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html

Run the following from a place where you can run AWS commands,

aws ec2 modify-image-attribute \ --image-id ami-0123456789example \ --imds-support v2.0

Any EC2 instances launched using the above AMI will have IMDSV1 disabled.

I hope this helps, Thanks

jpSimkins commented 2 months ago

2024 check in on the status. Still would like to have this for systems that don't need or require a launch template.