Control: Compute instance legacy metadata service endpoint should be disabled
Description
The instance metadata service (IMDS) provides information about a running instance, including a variety of details about the instance, its attached virtual network interface cards (VNICs), its attached multipath-enabled volume attachments, and any custom metadata that you define. IMDS also provides information to cloud-init that you can use for various system initialization tasks. To increase the security of metadata requests, it is strongly recommended to update all applications to use the IMDS version 2 endpoint, if supported by the image. Then, disable requests to IMDS version 1.
Usage
Run the control in your terminal:
powerpipe control run terraform_oci_compliance.control.compute_instance_metadata_service_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_oci_compliance.control.compute_instance_metadata_service_disabled --shareSQL
This control uses a named query:
select address as resource, case when ((attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled') is not null and (attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled')::boolean) then 'ok' else 'alarm' end as status, split_part(address, '.', 2) || case when ((attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled') is not null and (attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled')::boolean) then ' legacy metadata service endpoint disabled' else ' legacy metadata service endpoint enabled' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'oci_core_instance';