This is a tracking bug for Change: Register EC2 Cloud Images with IMDSv2-only AMI flag For more details, see: https://fedoraproject.org/wiki/Changes/CloudEC2IMDSv2Only In November 2019, AWS launched IMDSv2 (Instance Meta-Data Store version 2 - see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ ) which provides "belt and suspenders" protections for four types of vulnerabilities that could be used to try to access the Instance Meta-Data Store available to EC2 instances. In that announcement, AWS recommended adopting IMDSv2 and restricting access to IMDSv2 only for added security. This can be done at instance launch time, or (more recently in October 2022) by providing a flag when registering an AMI to indicate that the AMI should by default launch with IMDSv1 disabled, and thus require IMDSv2. If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
As with https://fedoraproject.org/wiki/Changes/CloudEC2UEFIPreferred , I don't think this has been done. I see no record of it in https://pagure.io/fedora-infra/ansible/blob/main/f/roles/fedimg . Am I missing anything? If not, this is late and at-risk for F39.
I still see no indication this has been done. It should probably be postponed to F40 at this point, unless I'm wrong. David, do you know what's going on here?
Deferred to F40 per https://pagure.io/fesco/issue/3059#comment-876796 .
Per discussion with David on Matrix https://matrix.to/#/#cloud:fedoraproject.org , this Change was actually completed for F39, so moving it back there and marking ON_QA.
F39 was released on November 7th, so I am closing this tracker. If this Change was not completed, please notify me ASAP.