IAC - False Positive detection for AVD-AWS-0028 (aws_instance should activate session tokens for Instance Metadata Service)

[nishad-aliaqua]

IDs

AVD-AWS-0028

Description

Issue:

CFT defined with HttpTokens : required for configuring EC2 instance with IMDSv2 as defined in the below CFT sample shows FP detection for AVD-AWS-0028

Example CFT

AWSTemplateFormatVersion: 2010-09-09 Resources: LTnishad: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub ${AWS::StackName}-launch-template-for-testing-cspm LaunchTemplateData: InstanceType: t2.micro SecurityGroupIds: - sg-0390a728fexxxd50ca KeyName: nishad-new-2022 ImageId: ami-026257f4f39c28af8 MetadataOptions: HttpEndpoint: enabled HttpPutResponseHopLimit: 1 HttpTokens: required TagSpecifications: - ResourceType: launch-template Tags: - Key: Name-new Value: nishad-test BastionInstance: Type: AWS::EC2::Instance Properties: LaunchTemplate: LaunchTemplateName: !Sub ${AWS::StackName}-launch-template-for-testing-cspm Version: 1 SubnetId: !Ref PublicSubnet UserData: Fn::Base64: !Sub | #!/bin/bash Tags: - Key: Name Value: !Sub '${AWS::StackName}'

Reproduction Steps

1.Push the above Sample CFT to Github or any SCM
2.Intgrate SCM with Aqua and Initaite Scan
3.Review Iac findings,
...

Target

Git Repository

Scanner

Misconfiguration

Target OS

No response

Debug Output

Scanning is Done from Aqua UI after integrating SCM into AQUA

Version

Scanning is Done from Aqua UI after integrating SCM into AQUA. Hope Aqua uses latest version of Trivy

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Hi @nishad-aliaqua !

I created issue #5793