Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled
Error: OCI Compute Instance has Legacy MetaData service endpoint enabled
Bridgecrew Policy ID: BC_OCI_COMPUTE_2
Checkov Check ID: CKV_OCI_5
Severity: HIGH
OCI Compute Instance has Legacy MetaData service endpoint enabled
Description
This policy identifies the OCI Compute Instances that are configured with Legacy MetaData service (IMDSv1) endpoints enabled. It is recommended that Compute Instances should be configured with legacy v1 endpoints (Instance Metadata Service v1) being disabled, and use Instance Metadata Service v2 instead following security best practices.
Fix - Runtime
OCI Console
- Login to the OCI Console
- Type the resource reported in the alert into the Search box at the top of the Console.
- Click the resource reported in the alert from the Resources submenu
- In the Instance Details section, next to Instance Metadata Service, click Edit.
- For the Allowed IMDS version, select the Version 2 only option.
- Click Save Changes.
Note :
If you disable IMDSv1 on an instance that does not support IMDSv2, you might not be able to connect to the instance when you launch it. To re enable IMDSv1: using the Console, on the Instance Details page, next to Instance Metadata Service, click Edit. Select the Version 1 and version 2 option, save your changes, and then restart the instance. Using the API, use the UpdateInstance operation.
FMI : https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm#upgrading-v2
Fix - Buildtime
Terraform
- Resource: oci_core_instance
- Arguments: instance_options.are_legacy_imds_endpoints_disabled
resource "oci_core_instance" "pass" {
...
instance_options {
are_legacy_imds_endpoints_disabled = true
}
...
}
Updated 6 months ago