Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled

Error: OCI Compute Instance has Legacy MetaData service endpoint enabled
Bridgecrew Policy ID: BC_OCI_COMPUTE_2
Checkov Check ID: CKV_OCI_5
Severity: HIGH

OCI Compute Instance has Legacy MetaData service endpoint enabled

Description

This policy identifies the OCI Compute Instances that are configured with Legacy MetaData service (IMDSv1) endpoints enabled. It is recommended that Compute Instances should be configured with legacy v1 endpoints (Instance Metadata Service v1) being disabled, and use Instance Metadata Service v2 instead following security best practices.

Fix - Runtime

OCI Console

  1. Login to the OCI Console
  2. Type the resource reported in the alert into the Search box at the top of the Console.
  3. Click the resource reported in the alert from the Resources submenu
  4. In the Instance Details section, next to Instance Metadata Service, click Edit.
  5. For the Allowed IMDS version, select the Version 2 only option.
  6. Click Save Changes.
    Note :
    If you disable IMDSv1 on an instance that does not support IMDSv2, you might not be able to connect to the instance when you launch it. To re enable IMDSv1: using the Console, on the Instance Details page, next to Instance Metadata Service, click Edit. Select the Version 1 and version 2 option, save your changes, and then restart the instance. Using the API, use the UpdateInstance operation.
    FMI : https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm#upgrading-v2

Fix - Buildtime

Terraform

  • Resource: oci_core_instance
  • Arguments: instance_options.are_legacy_imds_endpoints_disabled
resource "oci_core_instance" "pass" {
...
  instance_options {
    are_legacy_imds_endpoints_disabled = true
  }
...
}