Use Instance Metadata Service Version 2 as default

[davidkelliott]

User Story

As a security engineer I want users to use IMDSV2 in EC2 instances as default So that they follow best practice

https://aws.amazon.com/about-aws/whats-new/2024/03/set-imdsv2-default-new-instance-launches/

This is to enable it in all accounts (on account level).

Value / Purpose

Encourage users to follow best practice

Useful Contacts

No response

Additional Information

No response

Proposal / Unknowns

Hypothesis If we... [do a thing] Then... [this will happ]

Proposal A proposal that is something testable, don't worry whether it works or not, it's a place for ideas.

Unknowns Potential pitfalls that could cause the story to expand beyond its original scope. Ideally this section will remain blank.

Definition of Done

• [ ] Enable IMDSV2 by default on all member accounts
• [ ] User docs have been updated
• [ ] Another team member has reviewed
• [ ] Tests are green

[dms1981]

This can be done without too much difficulty on EC2 instances like so:

resource "aws_instance" "this" {
...
  metadata_options {
    http_tokens = "required"
  }
}

[richgreen-moj]

To deploy at account level with Terraform... https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults

[richgreen-moj]

https://github.com/ministryofjustice/modernisation-platform/pull/6930 - Draft PR to default to IMDSv2 pointing at updated baseline module.

[richgreen-moj]

https://github.com/ministryofjustice/modernisation-platform-terraform-baselines/pull/446 - PR to update the baselines module to include imdsv2 by default.

[richgreen-moj]

New release to Baselines module enabling IMDSv2 by default v7.1.0

[richgreen-moj]

Notice sent in the update channel https://mojdt.slack.com/archives/C02L5MCJ12N/p1715258727944999