AWS SageMaker Notebook Instance allows for IMDSv1

Description

This policy checks whether SageMaker Notebook Instances are configured to use Instance Metadata Service version 2 (IMDSv2). MDSv2 reduces security risks by requiring session-oriented requests, unlike the vulnerable IMDSv1 which is susceptible to server-side request forgery (SSRF) attacks and potential unauthorized access. This improves the overall security posture of your AWS resources.

Code Example

resource "aws_sagemaker_notebook_instance" "my_notebook_instance_pass" {
  ...
  instance_metadata_service_configuration {
+    minimum_instance_metadata_service_version = "2"
  }
}

Remediation

Terraform

Resource: aws_sagemaker_notebook_instance
Arguments: instance_metadata_service_configuration/minimum_instance_metadata_service_version

Ensure that the Amazon Sagemaker Notebook Instance is configured to only allow Instance Metadata Service Version 2 (IMDSv2), by setting the `minimum_instance_metadata_service_version` to `2`, as displayed in the example below.

Rule Details

Field	Value
ID	IAC-0418
Severity	MEDIUM
IaC Type	Cloudformation
Frameworks	Terraform, TerraformPlan, CloudFormation
Checkov ID	CKV_AWS_371

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AWS SageMaker Notebook Instance allows for IMDSv1

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

AWS SageMaker Notebook Instance allows for IMDSv1 ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

AWS SageMaker Notebook Instance allows for IMDSv1

Description

Code Example

Remediation

Rule Details

References