search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.52k stars 3.86k forks source link

aws_cdk.aws_ec2 NatInstanceProvider: missing require_imdsv2 #23803

Open iamgabeortiz opened 1 year ago

iamgabeortiz commented 1 year ago

Describe the feature

Can we get the require_imdsv2 parameter added to the aws_cdk.aws_ec2 NatInstanceProvider resource? This was resolved for EC2 and ASG here: Support setting EC2 instance metadata to require token (IMDSv2) #5137

16051

16052

Use Case

The AWS Foundational Security Best Practices v1.0.0 for Security Hub will produce a finding for the NAT instances under EC2.8: EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

Proposed Solution

No response

Other Information

No response

Acknowledgements

CDK version used

2.61.1 (build d319d9c)

Environment details (OS name and version, etc.)

WSL: Ubuntu 20.04.5 LTS (Focal Fossa)

peterwoodworth commented 1 year ago

Thanks for the request, we could certainly add the option to specify this, would just need to add the setting and a way to toggle it here https://github.com/aws/aws-cdk/blob/fb67c77855967e7d493f85f4f2d31532efdd560c/packages/%40aws-cdk/aws-ec2/lib/nat.ts#L303-L312

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

davemssavage commented 8 months ago

I've just encountered this issue, it'd be nice to have a fix as per the merge request that appears to have got dropped, in the interim adding the following:

cdk.Aspects.of(stack).add(new ec2.InstanceRequireImdsv2Aspect())

to my app seems to work as a catch all to ensure the nat instance is set to IMDSv2: Required