Bug 2185249

Summary: Register EC2 Cloud Images with IMDSv2-only AMI flag
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Stewart Smith <trawets>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: amoloney, awilliam, davdunc, thrcka, trawets
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 18:57:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2158243    

Description Ben Cotton 2023-04-07 15:00:58 UTC
This is a tracking bug for Change: Register EC2 Cloud Images with IMDSv2-only AMI flag
For more details, see: https://fedoraproject.org/wiki/Changes/CloudEC2IMDSv2Only

In November 2019, AWS launched IMDSv2 (Instance Meta-Data Store version 2 - see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ ) which provides "belt and suspenders" protections for four types of vulnerabilities that could be used to try to access the Instance Meta-Data Store available to EC2 instances. In that announcement, AWS recommended adopting IMDSv2 and restricting access to IMDSv2 only for added security. This can be done at instance launch time, or (more recently in October 2022) by providing a flag when registering an AMI to indicate that the AMI should by default launch with IMDSv1 disabled, and thus require IMDSv2.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.

Comment 1 Adam Williamson 2023-08-22 23:08:14 UTC
As with https://fedoraproject.org/wiki/Changes/CloudEC2UEFIPreferred , I don't think this has been done. I see no record of it in https://pagure.io/fedora-infra/ansible/blob/main/f/roles/fedimg . Am I missing anything? If not, this is late and at-risk for F39.

Comment 2 Adam Williamson 2023-09-21 19:21:02 UTC
I still see no indication this has been done. It should probably be postponed to F40 at this point, unless I'm wrong.

David, do you know what's going on here?

Comment 3 Adam Williamson 2023-10-03 17:43:38 UTC
Deferred to F40 per https://pagure.io/fesco/issue/3059#comment-876796 .

Comment 4 Adam Williamson 2023-10-19 19:21:51 UTC
Per discussion with David on Matrix https://matrix.to/#/#cloud:fedoraproject.org , this Change was actually completed for F39, so moving it back there and marking ON_QA.

Comment 5 Aoife Moloney 2023-11-14 18:57:27 UTC
F39 was released on November 7th, so I am closing this tracker. If this Change was not completed, please notify me ASAP.