turbot/oci_compliance

Control: 3.1 Ensure Compute Instance Legacy Metadata service endpoint is disabled

Description

Compute Instances that utilize Legacy MetaData service endpoints (IMDSv1) are susceptible to potential SSRF attacks. To bolster security measures, it is strongly advised to reconfigure Compute Instances to adopt Instance Metadata Service v2, aligning with the industry's best security practices.

Enabling Instance Metadata Service v2 enhances security and grants precise control over metadata access. Transitioning from IMDSv1 reduces the risk of SSRF attacks, bolstering system protection.

IMDv1 poses security risks due to its inferior security measures and limited auditing capabilities. Transitioning to IMDv2 ensures a more secure environment with robust security features and improved monitoring capabilities.

Remediation

From Console

  1. Login to OCI Console.
  2. Click on the search box at the top of the console and search for compute instance name.
  3. Click on the instance name, In the Instance Details section, next to Instance Metadata Service, click Edit.
  4. For the Instance metadata service, select the Version 2 only option.
  5. Click Save Changes.

Note: Disabling IMDSv1 on an incompatible instance may result in connectivity issues upon launch.

To re-enable IMDSv1, follow these steps:

  1. On the Instance Details page in the Console, click Edit next to Instance Metadata Service.
  2. Choose the Version 1 and version 2 option, and save your changes.

From CLI

Run Below Command,

oci compute instance update --instance-id [instance-ocid] --instance-options '{"areLegacyImdsEndpointsDisabled" :"true"}'

This will set Instance Metadata Service to use Version 2 Only.

Default Value

Versions 1 and 2

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_3_1 --share

SQL

This control uses a named query:

core_instance_legacy_metadata_service_endpoint_disabled

Tags