Enforce metadata v2 + remove unnecessary IAM permissions + add message on the default security group with 0.0.0.0

Author: maiconrocha

main.tf

@@ -129,12 +129,9 @@ resource "aws_iam_role_policy_attachment" "custom_policy" {
 resource "aws_iam_role_policy" "aws_policy" {
   name   = "${var.name}-aws-access"
   role   = aws_iam_role.awsserviceroleforimagebuilder.id
-  #checkov:skip=CKV_AWS_290:The policy must allow *
-  #checkov:skip=CKV_AWS_355:The policy must allow *
   policy = data.aws_iam_policy_document.aws_policy.json
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards
 data "aws_iam_policy_document" "aws_policy" {
 
   statement {
@@ -143,21 +140,6 @@ data "aws_iam_policy_document" "aws_policy" {
     resources = ["arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole"]
   }
 
-  statement {
-    effect = "Allow"
-    #checkov:skip=CKV_AWS_111:The policy must allow *
-    #checkov:skip=CKV_AWS_290:The policy must allow *
-    #checkov:skip=CKV_AWS_355:The policy must allow *
-    actions = [
-      "ec2messages:GetMessages",
-      "ec2:MetadataHttpEndpoint",
-      "ec2:MetadataHttpPutResponseHopLimit",
-      "ec2:MetadataHttpTokens",
-      "ssm:SendCommand"
-    ]
-    resources = ["*"]
-  }
-
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -175,8 +157,8 @@ resource "aws_imagebuilder_infrastructure_configuration" "imagebuilder_infrastru
   subnet_id          = var.subnet_id
 
   instance_metadata_options {
-    http_tokens                 = var.instance_metadata_http_tokens
-    http_put_response_hop_limit = var.instance_metadata_http_put_hop_limit
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 2
   }
 
   terminate_instance_on_failure = var.terminate_on_failure

variables.tf

@@ -154,26 +154,14 @@ variable "imagebuilder_image_recipe_kms_key_arn" {
   type        = string
 }
 
-variable "instance_metadata_http_put_hop_limit" {
-  default     = null
-  description = "The number of hops that an instance can traverse to reach its metadata."
-  type        = number
-}
-
-variable "instance_metadata_http_tokens" {
-  default     = "optional"
-  description = "(Optional) Whether a signed token is required for instance metadata retrieval requests. Valid values: required, optional."
-  type        = string
-}
-
 variable "terminate_on_failure" {
   default     = true
   description = "(Optional) Change to false if you want to connect to a builder for debugging after failure"
   type        = bool
 }
 
 variable "create_security_group" {
-  description = "(Optional) Create security group for EC2 Image Builder instances"
+  description = "(Optional) Create security group for EC2 Image Builder instances. Please note this security group will be created with default egress rule to 0.0.0.0/0 CIDR Block. In case you want to have a more restrict set of rules, please provide your own security group id on security_group_ids variable"
   type        = bool
   default     = true
 }