Update ec2.tf #176
Update ec2.tf #176
Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| @@ -1,7 +1,7 @@ | |||
| resource "aws_instance" "web_host" { | |||
| # ec2 have plain text secrets in user data | |||
| ami = "${var.ami}" | |||
| instance_type = "t2.nano" | |||
| instance_type = "t3.nano" | |||
There was a problem hiding this comment.
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_79
How to Fix
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
| @@ -1,7 +1,7 @@ | |||
| resource "aws_instance" "web_host" { | |||
| # ec2 have plain text secrets in user data | |||
| ami = "${var.ami}" | |||
| instance_type = "t2.nano" | |||
| instance_type = "t3.nano" | |||
There was a problem hiding this comment.
AWS EC2 instance detailed monitoring disabled
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_126
How to Fix
resource "aws_instance" "test" {
+ monitoring = true
}Description
Enabling detailed monitoring for Amazon Elastic Compute Cloud (EC2) instances can provide you with additional data and insights about the performance and utilization of your instances.
: Detailed monitoring can provide you with more data about the utilization of your instances, which can be helpful for capacity planning and optimization.
| @@ -1,7 +1,7 @@ | |||
| resource "aws_instance" "web_host" { | |||
| # ec2 have plain text secrets in user data | |||
| ami = "${var.ami}" | |||
| instance_type = "t2.nano" | |||
| instance_type = "t3.nano" | |||
There was a problem hiding this comment.
EC2 user data exposes secrets
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_46
How to Fix
resource "aws_instance" "web" {
...
instance_type = "t3.micro"
- user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}Description
User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched.
It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations.
This code is not encrypted.
Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.
No description provided.