Feat: Added the ability to enforce IDMSv2 on firewalls, firewall manager and autoscaling group for firewalls (#869)

* Added support for IMDSv2 option for firewalls autscaling group

* Added support for IMDSv2 option for firewalls/firewall manager instance
Modified the documentation/comments of the disableTermination custom construct.

* Removed a configuration option that is not needed after all

* Fixed a space issue with prettier

* updated lock file

* fixed lock file and linter errors

Co-authored-by: hickeydh-aws <hickeydh@amazon.com>

Author: fredbonin

pnpm-lock.yaml

@@ -232,6 +232,7 @@ async function createFirewallCluster(props: {
     'security-group': securityGroupName,
     'fw-instance-role': instanceRoleName,
     'image-id': imageId,
+    'enforce-imdsv2': enforceImdsV2,
     'instance-sizes': instanceType,
     'block-device-mappings': blockDeviceMappings,
     'apply-tags': tags,
@@ -258,6 +259,7 @@ async function createFirewallCluster(props: {
     vpcCidrBlock: vpc.cidrBlock,
     additionalCidrBlocks: vpc.additionalCidrBlocks,
     imageId,
+    enforceImdsV2,
     instanceType,
     instanceRole,
     instanceProfile,

src/deployments/cdk/src/deployments/firewall/cluster/step-3.ts

@@ -158,6 +158,7 @@ async function createFirewallCluster(props: {
   const {
     name: firewallName,
     'security-group': securityGroupName,
+    'enforce-imdsv2': enforceImdsv2,
     'fw-instance-role': instanceRoleName,
     'image-id': imageId,
     'instance-sizes': instanceType,
@@ -196,6 +197,7 @@ async function createFirewallCluster(props: {
     launchConfigurationName,
     associatePublicIpAddress,
     imageId,
+    metadataOptions: enforceImdsv2 ? { httpEndpoint: 'enabled', httpTokens: 'required' } : undefined,
     securityGroups: [securityGroup.id],
     iamInstanceProfile: instanceRoleName ? createIamInstanceProfileName(instanceRoleName) : undefined,
     instanceType,

src/deployments/cdk/src/deployments/firewall/cluster/step-4.ts

@@ -155,6 +155,7 @@ async function createFirewallManager(props: {
     }),
     configName: config.name,
     imageId: config['image-id'],
+    enforceImdsV2: config['enforce-imdsv2'],
     instanceType: config['instance-sizes'],
     blockDeviceMappings,
     userData,

src/deployments/cdk/src/deployments/firewall/manager/step-1.ts

@@ -20,6 +20,7 @@
     "@aws-accelerator/custom-resource-cfn-sleep": "workspace:*",
     "@aws-accelerator/custom-resource-elb-deletion-protection": "workspace:*",
     "@aws-accelerator/custom-resource-ec2-disable-api-termination": "workspace:*",
+    "@aws-accelerator/custom-resource-ec2-modify-metadata-options": "workspace:*",
     "@aws-accelerator/custom-resource-r53-dns-endpoint-ips": "workspace:*",
     "@aws-accelerator/custom-resource-s3-put-bucket-replication": "workspace:*",
     "@aws-accelerator/custom-resource-s3-template": "workspace:*",

src/lib/cdk-constructs/package.json

@@ -23,7 +23,6 @@ export type LaunchConfigurationProps = autoscaling.CfnLaunchConfigurationProps;
 interface LaunchConfigurationCustomProps extends LaunchConfigurationProps {
   centralBucketName?: string;
   logGroupName?: string;
-  enforceIMDSv2?: boolean;
 }
 
 /**

src/lib/cdk-constructs/src/autoscaling/launch-configuration.ts

@@ -24,6 +24,7 @@ export interface FirewallClusterProps {
   vpcCidrBlock: string;
   additionalCidrBlocks: string[];
   imageId: string;
+  enforceImdsV2: boolean;
   instanceType: string;
   instanceRole: iam.IRole;
   instanceProfile: IInstanceProfile;
@@ -68,6 +69,7 @@ export class FirewallCluster extends cdk.Construct {
       vpcCidrBlock: this.props.vpcCidrBlock,
       additionalCidrBlocks: this.props.additionalCidrBlocks,
       imageId: this.props.imageId,
+      enforceImdsV2: this.props.enforceImdsV2,
       instanceType: this.props.instanceType,
       instanceProfile: this.props.instanceProfile,
       keyPairName: this.props.keyPairName,

src/lib/cdk-constructs/src/firewall/cluster.ts

@@ -20,6 +20,7 @@ import { IInstanceProfile } from '../iam';
 import { Subnet, SecurityGroup } from '../vpc';
 import { CfnSleep } from '@aws-accelerator/custom-resource-cfn-sleep';
 import { EC2DisableApiTermination } from '@aws-accelerator/custom-resource-ec2-disable-api-termination';
+import { EC2ModifyMetadataOptions } from '@aws-accelerator/custom-resource-ec2-modify-metadata-options';
 
 export interface FirewallVpnTunnelOptions {
   cgwTunnelInsideAddress1: string;
@@ -51,6 +52,7 @@ export interface FirewallInstanceProps {
   name: string;
   hostname: string;
   vpcCidrBlock: string;
+  enforceImdsV2: boolean;
   additionalCidrBlocks: string[];
   licensePath?: string;
   licenseBucket?: s3.IBucket;
@@ -125,6 +127,13 @@ export class FirewallInstance extends cdk.Construct {
       this.resource.node.addDependency(this.template);
     }
 
+    new EC2ModifyMetadataOptions(this, `EC2${this.props.name}ModifyMetadataOptions`, {
+      ec2Id: this.resource.ref,
+      ec2Name: this.props.name,
+      httpEndpoint: 'enabled',
+      httpTokens: this.props.enforceImdsV2 ? 'required' : 'optional',
+    });
+
     new EC2DisableApiTermination(this, `EC2${this.props.name}DisableApiTermination`, {
       ec2Id: this.resource.ref,
       ec2Name: this.props.name,

src/lib/cdk-constructs/src/firewall/instance.ts

@@ -16,6 +16,7 @@ import * as ec2 from '@aws-cdk/aws-ec2';
 import { SecurityGroup, Subnet } from '../vpc';
 import { CfnSleep } from '@aws-accelerator/custom-resource-cfn-sleep';
 import { EC2DisableApiTermination } from '@aws-accelerator/custom-resource-ec2-disable-api-termination';
+import { EC2ModifyMetadataOptions } from '@aws-accelerator/custom-resource-ec2-modify-metadata-options';
 
 export interface FirewallManagerProps {
   name: string;
@@ -24,6 +25,7 @@ export interface FirewallManagerProps {
    * Image ID of firewall.
    */
   imageId: string;
+  enforceImdsV2: boolean;
   instanceType: string;
   blockDeviceMappings: ec2.CfnInstance.BlockDeviceMappingProperty[];
   keyPairName?: string;
@@ -49,6 +51,13 @@ export class FirewallManager extends cdk.Construct {
     });
     cdk.Tags.of(this.resource).add('Name', this.props.name);
 
+    new EC2ModifyMetadataOptions(this, `EC2${this.props.configName}ModifyMetadataOptions`, {
+      ec2Id: this.resource.ref,
+      ec2Name: this.props.name,
+      httpEndpoint: 'enabled',
+      httpTokens: this.props.enforceImdsV2 ? 'required' : 'optional',
+    });
+
     new EC2DisableApiTermination(this, `EC2-FWMNG${this.props.configName}DisableApiTermination`, {
       ec2Id: this.resource.ref,
       ec2Name: this.props.name,

src/lib/cdk-constructs/src/firewall/manager.ts

@@ -1878,6 +1878,10 @@ translate(c.FirewallEC2ConfigType, {
       title: '',
       description: 'AMI image ID',
     },
+    'enforce-imdsv2': {
+      title: 'Enforce IMDSv2 on the EC instances launched for firewalls',
+      description: 'If set to true, IMDSv2 will be mandatory on the firewall instances. Default : false',
+    },
     region: {
       title: '',
       description: 'Region to deploy the firewall',
@@ -2026,6 +2030,10 @@ translate(c.FirewallAutoScaleConfigType, {
       title: '',
       description: '',
     },
+    'enforce-imdsv2': {
+      title: 'Enforce IMDSv2 on the EC instances launched for firewalls',
+      description: 'If set to true, IMDSv2 will be mandatory on the instances. Default : false',
+    },
     'instance-sizes': {
       title: '',
       description: '',
@@ -2113,6 +2121,10 @@ translate(c.FirewallManagerConfigType, {
       title: 'Image ID',
       description: '',
     },
+    'enforce-imdsv2': {
+      title: 'Enforce IMDSv2 on the EC instance launched for firewall manager',
+      description: 'If set to true, IMDSv2 will be mandatory on the instance. Default : false',
+    },
     region: {
       title: '',
       description: '',