From 6c09e29e8f05a7d2a64a85f2d4eefd2739a4dab7 Mon Sep 17 00:00:00 2001
From: Steven Smiley <smiley@scalesec.com>
Date: Fri, 10 Jun 2022 11:53:14 -0700
Subject: [PATCH] Extend IMDS control

---
 .../modules/ec2/require_imdsv2.tf             | 64 ++++++++++++++++++-
 1 file changed, 62 insertions(+), 2 deletions(-)

diff --git a/security_controls_scp/modules/ec2/require_imdsv2.tf b/security_controls_scp/modules/ec2/require_imdsv2.tf
index b701469..72fabcb 100644
--- a/security_controls_scp/modules/ec2/require_imdsv2.tf
+++ b/security_controls_scp/modules/ec2/require_imdsv2.tf
@@ -4,7 +4,7 @@
 
 data "aws_iam_policy_document" "require_imdsv2" {
   statement {
-    sid = "RequireIMDSv2"
+    sid = "RequireEc2InstancesToUseImdsV2"
 
     actions = [
       "ec2:RunInstances"
@@ -25,11 +25,71 @@ data "aws_iam_policy_document" "require_imdsv2" {
       ]
     }
   }
+  
+  statement {
+    sid = "RequireEc2RolesToUseImdsV2"
+
+    actions = [
+      "*"
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    effect = "Deny"
+
+    condition {
+      test     = "NumericLessThan"
+      variable = "ec2:RoleDelivery"
+
+      values = [
+        "2.0",
+      ]
+    }
+  }
+
+  statement {
+    sid = "DenyDisableImdsV2"
+
+    actions = [
+      "ec2:ModifyInstanceMetadataOptions"
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    effect = "Deny"
+  }
+
+  statement {
+    sid = "MaxImdsHopLimit"
+
+    actions = [
+      "ec2:RunInstances"
+    ]
+
+    resources = [
+      "arn:aws:ec2:*:*:instance/*",
+    ]
+
+    effect = "Deny"
+
+    condition {
+      test     = "NumericLessThan"
+      variable = "ec2:MetadataHttpPutResponseHopLimit"
+
+      values = [
+        "1",
+      ]
+    }
+  }
 }
 
 resource "aws_organizations_policy" "require_imdsv2_org_policy" {
   name        = "Require IMDSv2 For EC2"
-  description = "Requires the use of IMDSv2 for newly launched EC2s"
+  description = "Requires IMDSv2 for EC2 instances and roles"
 
   content = data.aws_iam_policy_document.require_imdsv2.json
 }