Insecure Cloud Instance Metadata Service (IMDS) Access Leading to Credential Theft

# SECURE: EC2 instance with IMDSv2 enforcement and restricted access
resource "aws_instance" "secure_server" {
  ami           = "ami-0abcdef1234567890"
  instance_type = "t3.medium"
  
  # SECURE: IMDSv2 required, limited hop count
  metadata_options {
    http_endpoint               = "enabled"
    http_tokens                 = "required"  # IMDSv2 only
    http_put_response_hop_limit = 1           # No forwarding
    instance_metadata_tags      = "enabled"   # Enable instance tags in metadata
  }
  
  # SECURE: Minimal IAM role with specific permissions
  iam_instance_profile = aws_iam_instance_profile.secure_profile.name
  
  # SECURE: Security group with restricted access
  vpc_security_group_ids = [aws_security_group.secure_instance.id]
  
  # SECURE: Encrypted storage
  root_block_device {
    encrypted = true
    kms_key_id = aws_kms_key.instance_key.arn
  }
  
  user_data = base64encode(templatefile("${path.module}/secure_startup.sh", {
    instance_role = aws_iam_role.secure_instance_role.name
  }))
  
  tags = {
    Name        = "SecureWebServer"
    Environment = "production"
    SecurityProfile = "hardened"
  }
}

# SECURE: Minimal IAM role with least privilege
resource "aws_iam_role" "secure_instance_role" {
  name = "SecureInstanceRole"
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "ec2.amazonaws.com"
      }
      Condition = {
        StringEquals = {
          "aws:RequestedRegion" = data.aws_region.current.name
        }
        DateGreaterThan = {
          "aws:CurrentTime" = "2023-01-01T00:00:00Z"
        }
      }
    }]
  })
}

# SECURE: Restrictive IAM policy with specific resource access
resource "aws_iam_role_policy" "secure_policy" {
  name = "SecureInstancePolicy"
  role = aws_iam_role.secure_instance_role.id
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
          "s3:PutObject"
        ]
        Resource = [
          "${aws_s3_bucket.app_data.arn}/uploads/*",
          "${aws_s3_bucket.app_data.arn}/processed/*"
        ]
        Condition = {
          StringEquals = {
            "s3:x-amz-server-side-encryption" = "AES256"
          }
        }
      },
      {
        Effect = "Allow"
        Action = [
          "secretsmanager:GetSecretValue"
        ]
        Resource = aws_secretsmanager_secret.app_secrets.arn
        Condition = {
          StringEquals = {
            "secretsmanager:VersionStage" = "AWSCURRENT"
          }
        }
      },
      {
        Effect = "Allow"
        Action = [
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ]
        Resource = "${aws_cloudwatch_log_group.instance_logs.arn}:*"
      }
    ]
  })
}

# SECURE: Security group blocking metadata access from applications
resource "aws_security_group" "secure_instance" {
  name_prefix = "secure-instance-"
  vpc_id      = aws_vpc.main.id
  
  # Allow HTTPS outbound
  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  # Allow HTTP to specific endpoints only
  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/24"]  # Specific allowed destinations
  }
  
  # Block access to metadata service from most sources
  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["169.254.169.254/32"]  # Block IMDS
    description = "Block IMDS access - use iptables rules instead"
  }
  
  # Allow SSH from bastion only
  ingress {
    from_port       = 22
    to_port         = 22
    protocol        = "tcp"
    security_groups = [aws_security_group.bastion.id]
  }
  
  tags = {
    Name = "secure-instance-sg"
  }
}

# SECURE: Startup script with IMDS restrictions
# secure_startup.sh
#!/bin/bash
set -euo pipefail

# Enable logging
exec > >(tee /var/log/startup.log)
exec 2>&1

echo "Starting secure instance configuration..."

# Update system
yum update -y
yum install -y python3 python3-pip iptables-services

# SECURE: Block application access to IMDS using iptables
# Allow root access to IMDS (for system services)
iptables -A OUTPUT -m owner --uid-owner 0 -d 169.254.169.254 -j ACCEPT

# Block all other users from accessing IMDS
iptables -A OUTPUT -d 169.254.169.254 -j REJECT --reject-with icmp-port-unreachable

# Save iptables rules
service iptables save
systemctl enable iptables

# Install and configure application with IMDS protection
cat > /home/ec2-user/secure_app.py << 'APP'
import requests
import boto3
from flask import Flask, request, jsonify
from botocore.exceptions import ClientError
import ipaddress
from urllib.parse import urlparse

app = Flask(__name__)

# SECURE: Blocked IP ranges for SSRF protection
BLOCKED_RANGES = [
    ipaddress.IPv4Network('169.254.169.254/32'),  # IMDS
    ipaddress.IPv4Network('10.0.0.0/8'),         # Private
    ipaddress.IPv4Network('172.16.0.0/12'),      # Private
    ipaddress.IPv4Network('192.168.0.0/16'),     # Private
    ipaddress.IPv4Network('127.0.0.0/8'),        # Localhost
]

def is_safe_url(url):
    """Validate URL to prevent SSRF attacks"""
    try:
        parsed = urlparse(url)
        if not parsed.scheme in ['http', 'https']:
            return False
        
        # Resolve hostname to IP
        import socket
        ip = socket.gethostbyname(parsed.hostname)
        ip_addr = ipaddress.IPv4Address(ip)
        
        # Check against blocked ranges
        for blocked_range in BLOCKED_RANGES:
            if ip_addr in blocked_range:
                return False
        
        return True
    except Exception:
        return False

@app.route('/fetch')
def fetch_url():
    """Secure URL fetching with SSRF protection"""
    url = request.args.get('url')
    
    if not url:
        return jsonify({'error': 'No URL provided'}), 400
    
    # SECURE: Validate URL before making request
    if not is_safe_url(url):
        return jsonify({
            'error': 'URL not allowed - potential SSRF detected',
            'blocked_url': url
        }), 403
    
    try:
        # SECURE: Use requests with timeout and restrict redirects
        response = requests.get(
            url, 
            timeout=5, 
            allow_redirects=False,  # Prevent redirect-based SSRF
            headers={'User-Agent': 'SecureApp/1.0'}
        )
        
        # Don't return full response content for security
        return jsonify({
            'status': 'success',
            'status_code': response.status_code,
            'headers': dict(response.headers),
            'content_length': len(response.text)
        })
    
    except requests.exceptions.RequestException as e:
        return jsonify({'error': f'Request failed: {str(e)}'}), 500

@app.route('/aws-resource')
def get_aws_resource():
    """Secure AWS resource access using proper SDK"""
    try:
        # SECURE: Use boto3 with proper error handling
        # This automatically uses IMDSv2 and instance profile
        s3_client = boto3.client('s3')
        
        # Example: List specific bucket contents
        response = s3_client.list_objects_v2(
            Bucket='${aws_s3_bucket.app_data.id}',
            Prefix='uploads/',
            MaxKeys=10
        )
        
        objects = [{
            'key': obj['Key'],
            'size': obj['Size'],
            'last_modified': obj['LastModified'].isoformat()
        } for obj in response.get('Contents', [])]
        
        return jsonify({
            'bucket': '${aws_s3_bucket.app_data.id}',
            'objects': objects
        })
    
    except ClientError as e:
        return jsonify({
            'error': 'AWS operation failed',
            'code': e.response['Error']['Code']
        }), 500
    except Exception as e:
        return jsonify({'error': str(e)}), 500

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=8080)  # Bind to localhost only
APP

# Create non-root user for application
useradd -m -s /bin/bash appuser
chown appuser:appuser /home/ec2-user/secure_app.py

# Install Python dependencies
sudo -u appuser pip3 install --user flask boto3 requests

# Start application as non-root user
sudo -u appuser python3 /home/ec2-user/secure_app.py &

echo "Secure instance configuration completed"

# SECURE: Create CloudWatch agent configuration
cat > /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json << 'CWCONFIG'
{
  "logs": {
    "logs_collected": {
      "files": {
        "collect_list": [
          {
            "file_path": "/var/log/startup.log",
            "log_group_name": "${aws_cloudwatch_log_group.instance_logs.name}",
            "log_stream_name": "{instance_id}/startup"
          },
          {
            "file_path": "/var/log/iptables.log",
            "log_group_name": "${aws_cloudwatch_log_group.instance_logs.name}",
            "log_stream_name": "{instance_id}/iptables"
          }
        ]
      }
    }
  },
  "metrics": {
    "metrics_collected": {
      "cpu": {
        "measurement": ["cpu_usage_idle", "cpu_usage_iowait"],
        "metrics_collection_interval": 60
      },
      "disk": {
        "measurement": ["used_percent"],
        "metrics_collection_interval": 60,
        "resources": ["*"]
      },
      "mem": {
        "measurement": ["mem_used_percent"],
        "metrics_collection_interval": 60
      }
    }
  }
}
CWCONFIG

# Start CloudWatch agent
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \
    -a fetch-config \
    -m ec2 \
    -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json \
    -s

# Configure log rotation
echo "/var/log/startup.log {
    daily
    missingok
    rotate 7
    compress
    delaycompress
    notifempty
}" > /etc/logrotate.d/startup

# SECURE: VPC with IMDS protection using NACLs
resource "aws_network_acl" "imds_protection" {
  vpc_id     = aws_vpc.main.id
  subnet_ids = [aws_subnet.app_subnet.id]
  
  # Allow normal outbound traffic
  egress {
    rule_no    = 100
    protocol   = "tcp"
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 443
    to_port    = 443
  }
  
  egress {
    rule_no    = 110
    protocol   = "tcp"
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 80
    to_port    = 80
  }
  
  # Block IMDS access
  egress {
    rule_no    = 200
    protocol   = "tcp"
    action     = "deny"
    cidr_block = "169.254.169.254/32"
    from_port  = 80
    to_port    = 80
  }
  
  # Allow inbound traffic from ALB
  ingress {
    rule_no    = 100
    protocol   = "tcp"
    action     = "allow"
    cidr_block = aws_subnet.alb_subnet.cidr_block
    from_port  = 8080
    to_port    = 8080
  }
  
  tags = {
    Name = "IMDS-Protection-NACL"
  }
}

# SECURE: CloudWatch monitoring for IMDS access
resource "aws_cloudwatch_log_metric_filter" "imds_access_attempts" {
  name           = "IMDSAccessAttempts"
  log_group_name = aws_cloudwatch_log_group.instance_logs.name
  pattern        = "[timestamp, request_id, client_ip, method, uri=*169.254.169.254*, ...]"
  
  metric_transformation {
    name      = "IMDSAccessAttempts"
    namespace = "Security/IMDS"
    value     = "1"
    
    default_value = "0"
  }
}

# SECURE: CloudWatch alarm for IMDS access
resource "aws_cloudwatch_metric_alarm" "imds_access_alert" {
  alarm_name          = "IMDS-Unauthorized-Access"
  comparison_operator = "GreaterThanThreshold"
  evaluation_periods  = "1"
  metric_name         = "IMDSAccessAttempts"
  namespace           = "Security/IMDS"
  period              = "300"
  statistic           = "Sum"
  threshold           = "0"
  alarm_description   = "Alert on IMDS access attempts"
  alarm_actions       = [aws_sns_topic.security_alerts.arn]
  
  treat_missing_data = "notBreaching"
}

# SECURE: AWS Config rule to check IMDSv2 enforcement
resource "aws_config_config_rule" "imdsv2_enforcement" {
  name = "ec2-imdsv2-check"
  
  source {
    owner             = "AWS"
    source_identifier = "EC2_IMDSV2_CHECK"
  }
  
  depends_on = [aws_config_configuration_recorder.security_recorder]
}

# SECURE: Lambda function for automated IMDS remediation
resource "aws_lambda_function" "imds_remediation" {
  filename         = "imds_remediation.zip"
  function_name    = "imds-security-remediation"
  role            = aws_iam_role.lambda_remediation_role.arn
  handler         = "lambda_function.lambda_handler"
  source_code_hash = data.archive_file.imds_remediation.output_base64sha256
  runtime         = "python3.9"
  timeout         = 60
  
  environment {
    variables = {
      SNS_TOPIC_ARN = aws_sns_topic.security_alerts.arn
    }
  }
}

# SECURE: Lambda function code
data "archive_file" "imds_remediation" {
  type        = "zip"
  output_path = "imds_remediation.zip"
  
  source {
    content = <<EOF
import json
import boto3
import os
from botocore.exceptions import ClientError

ec2_client = boto3.client('ec2')
sns_client = boto3.client('sns')

def lambda_handler(event, context):
    """
    Automatically remediate IMDS configuration issues
    """
    
    try:
        # Check for non-compliant instances
        instances_response = ec2_client.describe_instances(
            Filters=[
                {
                    'Name': 'instance-state-name',
                    'Values': ['running', 'stopped']
                }
            ]
        )
        
        non_compliant_instances = []
        
        for reservation in instances_response['Reservations']:
            for instance in reservation['Instances']:
                instance_id = instance['InstanceId']
                
                # Check metadata options
                metadata_options = instance.get('MetadataOptions', {})
                http_tokens = metadata_options.get('HttpTokens', 'optional')
                hop_limit = metadata_options.get('HttpPutResponseHopLimit', 2)
                
                if http_tokens != 'required' or hop_limit > 1:
                    non_compliant_instances.append({
                        'instance_id': instance_id,
                        'current_tokens': http_tokens,
                        'current_hop_limit': hop_limit
                    })
        
        # Remediate non-compliant instances
        remediated_instances = []
        for instance_info in non_compliant_instances:
            instance_id = instance_info['instance_id']
            
            try:
                # Modify instance metadata options
                ec2_client.modify_instance_metadata_options(
                    InstanceId=instance_id,
                    HttpTokens='required',  # Enforce IMDSv2
                    HttpPutResponseHopLimit=1  # Prevent forwarding
                )
                
                remediated_instances.append(instance_id)
                
            except ClientError as e:
                print(f"Failed to remediate instance {instance_id}: {e}")
        
        # Send notification if instances were remediated
        if remediated_instances:
            message = {
                'remediated_instances': remediated_instances,
                'total_remediated': len(remediated_instances),
                'timestamp': context.aws_request_id
            }
            
            sns_client.publish(
                TopicArn=os.environ['SNS_TOPIC_ARN'],
                Subject='IMDS Configuration Remediated',
                Message=json.dumps(message, indent=2)
            )
        
        return {
            'statusCode': 200,
            'body': json.dumps({
                'non_compliant_found': len(non_compliant_instances),
                'remediated': len(remediated_instances)
            })
        }
        
    except Exception as e:
        error_msg = f"Error in IMDS remediation: {str(e)}"
        print(error_msg)
        
        sns_client.publish(
            TopicArn=os.environ['SNS_TOPIC_ARN'],
            Subject='IMDS Remediation Error',
            Message=error_msg
        )
        
        return {
            'statusCode': 500,
            'body': json.dumps({'error': str(e)})
        }
EOF
    filename = "lambda_function.py"
  }
}

# SECURE: EventBridge rule for scheduled IMDS checks
resource "aws_cloudwatch_event_rule" "imds_compliance_check" {
  name                = "imds-compliance-check"
  description         = "Check IMDS compliance daily"
  schedule_expression = "rate(24 hours)"
}

resource "aws_cloudwatch_event_target" "imds_remediation_target" {
  rule      = aws_cloudwatch_event_rule.imds_compliance_check.name
  target_id = "IMDSRemediationTarget"
  arn       = aws_lambda_function.imds_remediation.arn
}

# SECURE: GCP firewall rule blocking metadata access
resource "google_compute_firewall" "block_metadata_access" {
  name    = "block-metadata-access"
  network = google_compute_network.vpc.name
  
  # Block outbound traffic to metadata server
  deny {
    protocol = "tcp"
    ports    = ["80", "443"]
  }
  
  destination_ranges = ["169.254.169.254/32"]
  direction          = "EGRESS"
  priority           = 1000
  
  # Apply to all instances except those with metadata-access tag
  target_tags = ["no-metadata-access"]
}

# SECURE: Azure NSG rule blocking IMDS
resource "azurerm_network_security_rule" "block_imds_outbound" {
  name                        = "Block-IMDS-Outbound"
  priority                    = 200
  direction                   = "Outbound"
  access                      = "Deny"
  protocol                    = "Tcp"
  source_port_range          = "*"
  destination_port_range     = "80"
  source_address_prefix      = "*"
  destination_address_prefix = "169.254.169.254/32"
  resource_group_name        = azurerm_resource_group.main.name
  network_security_group_name = azurerm_network_security_group.app_nsg.name
}

# SECURE: Kubernetes NetworkPolicy blocking IMDS access
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-metadata-access
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  # Allow DNS
  - to: []
    ports:
    - protocol: UDP
      port: 53
  # Allow HTTPS to internet
  - to: []
    ports:
    - protocol: TCP
      port: 443
  # Allow specific internal services
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432
  # Explicitly deny access to metadata endpoints
  - to: []
    ports:
    - protocol: TCP
      port: 80
    # This rule will be overridden by Calico/Cilium policies below

# SECURE: Calico GlobalNetworkPolicy for IMDS blocking
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: block-cloud-metadata
spec:
  selector: "!has(allow-metadata-access)"
  types:
  - Egress
  egress:
  # Deny access to cloud metadata services
  - action: Deny
    destination:
      nets:
      - 169.254.169.254/32  # AWS/GCP/Azure IMDS
    protocol: TCP
    destination:
      ports:
      - 80
      - 443
  # Allow other egress traffic
  - action: Allow
---
# SECURE: Cilium CiliumNetworkPolicy for metadata blocking
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: block-metadata-service
spec:
  endpointSelector: {}
  egress:
  # Deny access to metadata service
  - toCIDR:
    - 169.254.169.254/32
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      - port: "443"
        protocol: TCP
    rules:
      http:
      - method: "GET"
        path: "/.*"
        action: DENY
  # Allow other egress
  - toEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: kube-system
  - toFQDNs:
    - matchPattern: "*.amazonaws.com"
    - matchPattern: "*.googleapis.com"
    - matchPattern: "*.azure.com"
    toPorts:
    - ports:
      - port: "443"
        protocol: TCP

# SECURE: AWS ECS with task roles instead of instance metadata
resource "aws_ecs_cluster" "secure_cluster" {
  name = "secure-application-cluster"
  
  setting {
    name  = "containerInsights"
    value = "enabled"
  }
  
  configuration {
    execute_command_configuration {
      logging = "OVERRIDE"
      log_configuration {
        cloud_watch_log_group_name = aws_cloudwatch_log_group.ecs_exec_logs.name
      }
    }
  }
}

# SECURE: ECS task definition with specific task role
resource "aws_ecs_task_definition" "secure_app" {
  family                   = "secure-web-application"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = 256
  memory                   = 512
  
  # SECURE: Specific task role instead of instance metadata
  task_role_arn      = aws_iam_role.ecs_task_role.arn
  execution_role_arn = aws_iam_role.ecs_execution_role.arn
  
  container_definitions = jsonencode([
    {
      name  = "web-app"
      image = "secure-web-app:latest"
      
      # SECURE: No privileged mode or host network
      privileged = false
      
      portMappings = [
        {
          containerPort = 8080
          protocol      = "tcp"
        }
      ]
      
      # SECURE: Use Secrets Manager instead of environment variables
      secrets = [
        {
          name      = "DATABASE_PASSWORD"
          valueFrom = aws_secretsmanager_secret.db_credentials.arn
        },
        {
          name      = "API_KEY"
          valueFrom = aws_secretsmanager_secret.api_credentials.arn
        }
      ]
      
      # SECURE: Non-sensitive configuration from Parameter Store
      environment = [
        {
          name  = "APP_ENV"
          value = "production"
        },
        {
          name  = "LOG_LEVEL"
          value = "INFO"
        }
      ]
      
      logConfiguration = {
        logDriver = "awslogs"
        options = {
          "awslogs-group"         = aws_cloudwatch_log_group.app_logs.name
          "awslogs-region"        = data.aws_region.current.name
          "awslogs-stream-prefix" = "web-app"
        }
      }
      
      # SECURE: Health check configuration
      healthCheck = {
        command = ["CMD-SHELL", "curl -f http://localhost:8080/health || exit 1"]
        interval    = 30
        timeout     = 5
        retries     = 3
        startPeriod = 60
      }
    }
  ])
}

# SECURE: Specific ECS task role with minimal permissions
resource "aws_iam_role" "ecs_task_role" {
  name = "secure-ecs-task-role"
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
        Condition = {
          StringEquals = {
            "aws:RequestedRegion" = data.aws_region.current.name
          }
        }
      }
    ]
  })
}

# SECURE: Task role policy with least privilege
resource "aws_iam_role_policy" "ecs_task_policy" {
  name = "secure-ecs-task-policy"
  role = aws_iam_role.ecs_task_role.id
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "secretsmanager:GetSecretValue"
        ]
        Resource = [
          aws_secretsmanager_secret.db_credentials.arn,
          aws_secretsmanager_secret.api_credentials.arn
        ]
        Condition = {
          StringEquals = {
            "secretsmanager:VersionStage" = "AWSCURRENT"
          }
        }
      },
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
          "s3:PutObject"
        ]
        Resource = [
          "${aws_s3_bucket.app_data.arn}/uploads/*"
        ]
      }
    ]
  })
}

# SECURE: GKE with Workload Identity
resource "google_container_cluster" "secure_cluster" {
  name               = "secure-gke-cluster"
  location           = "us-central1"
  initial_node_count = 1
  
  # SECURE: Workload Identity enabled
  workload_identity_config {
    workload_pool = "${var.project_id}.svc.id.goog"
  }
  
  # SECURE: Network policy enabled
  network_policy {
    enabled = true
  }
  
  # SECURE: Private cluster configuration
  private_cluster_config {
    enable_private_nodes    = true
    enable_private_endpoint = false
    master_ipv4_cidr_block  = "172.16.0.0/28"
  }
  
  ip_allocation_policy {}
  
  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }
  
  # SECURE: Disable metadata server access
  node_config {
    oauth_scopes = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring"
    ]
    
    # SECURE: Disable legacy metadata endpoints
    metadata = {
      disable-legacy-endpoints = "true"
    }
    
    # SECURE: Use custom service account
    service_account = google_service_account.gke_node_sa.email
    
    workload_metadata_config {
      mode = "GKE_METADATA"
    }
  }
}

# SECURE: Kubernetes service account with Workload Identity
apiVersion: v1
kind: ServiceAccount
metadata:
  name: secure-app-ksa
  namespace: production
  annotations:
    iam.gke.io/gcp-service-account: secure-app-sa@PROJECT_ID.iam.gserviceaccount.com
automountServiceAccountToken: false
---
# SECURE: Deployment using Workload Identity
apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-web-app
  namespace: production
spec:
  replicas: 3
  selector:
    matchLabels:
      app: secure-web-app
  template:
    metadata:
      labels:
        app: secure-web-app
    spec:
      serviceAccountName: secure-app-ksa
      
      # SECURE: Security context
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      
      containers:
      - name: web-app
        image: gcr.io/PROJECT_ID/secure-web-app:latest
        
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
          capabilities:
            drop: ["ALL"]
        
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        
        # SECURE: Use projected volumes for secrets
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: secret-volume
          mountPath: /etc/secrets
          readOnly: true
        
        env:
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: "/var/run/secrets/cloud.google.com/service-account-token"
        - name: APP_ENV
          value: "production"
        
        # SECURE: Resource limits
        resources:
          limits:
            memory: "256Mi"
            cpu: "200m"
          requests:
            memory: "128Mi"
            cpu: "100m"
        
        # SECURE: Probes
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
      
      volumes:
      - name: tmp
        emptyDir: {}
      - name: secret-volume
        projected:
          sources:
          - secret:
              name: app-secrets
              items:
              - key: database-password
                path: db-password
              - key: api-key
                path: api-key
          - serviceAccountToken:
              path: service-account-token
              expirationSeconds: 3600
              audience: gcp
---
# SECURE: Azure AKS with Azure AD Workload Identity
apiVersion: v1
kind: ServiceAccount
metadata:
  name: secure-app-sa
  namespace: production
  annotations:
    azure.workload.identity/client-id: CLIENT_ID
    azure.workload.identity/tenant-id: TENANT_ID
automountServiceAccountToken: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-azure-app
  namespace: production
spec:
  replicas: 2
  selector:
    matchLabels:
      app: secure-azure-app
  template:
    metadata:
      labels:
        app: secure-azure-app
        azure.workload.identity/use: "true"
    spec:
      serviceAccountName: secure-app-sa
      
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      
      containers:
      - name: app
        image: myregistry.azurecr.io/secure-app:latest
        
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1001
          capabilities:
            drop: ["ALL"]
        
        env:
        - name: AZURE_CLIENT_ID
          value: CLIENT_ID
        - name: AZURE_TENANT_ID
          value: TENANT_ID
        - name: AZURE_FEDERATED_TOKEN_FILE
          value: "/var/run/secrets/azure/tokens/azure-identity-token"
        
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: azure-identity-token
          mountPath: /var/run/secrets/azure/tokens
          readOnly: true
        
        resources:
          limits:
            memory: "512Mi"
            cpu: "300m"
          requests:
            memory: "256Mi"
            cpu: "150m"
      
      volumes:
      - name: tmp
        emptyDir: {}
      - name: azure-identity-token
        projected:
          sources:
          - serviceAccountToken:
              path: azure-identity-token
              expirationSeconds: 3600
              audience: api://AzureADTokenExchange

# SECURE: Service mesh with mTLS (Istio)
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: secure-app-authz
  namespace: production
spec:
  selector:
    matchLabels:
      app: secure-web-app
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/ingress/sa/istio-ingressgateway-service-account"]
  - to:
    - operation:
        methods: ["GET", "POST"]
        paths: ["/api/*", "/health", "/ready"]

# SECURE: Comprehensive IMDS security monitoring stack
resource "aws_cloudwatch_log_group" "imds_security_logs" {
  name              = "/aws/security/imds-monitoring"
  retention_in_days = 365
  kms_key_id       = aws_kms_key.logs_key.arn
}

# SECURE: CloudTrail for API monitoring
resource "aws_cloudtrail" "security_trail" {
  name           = "security-monitoring-trail"
  s3_bucket_name = aws_s3_bucket.cloudtrail_logs.id
  
  # Monitor all regions
  include_global_service_events = true
  is_multi_region_trail        = true
  enable_logging               = true
  
  # Log data events
  event_selector {
    read_write_type                 = "All"
    include_management_events       = true
    
    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::*/*"]
    }
  }
  
  # Send to CloudWatch Logs
  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail_logs.arn}:*"
  cloud_watch_logs_role_arn  = aws_iam_role.cloudtrail_logs_role.arn
  
  # Enable log file validation
  enable_log_file_validation = true
  
  # KMS encryption
  kms_key_id = aws_kms_key.cloudtrail_key.arn
}

# SECURE: EventBridge custom bus for security events
resource "aws_cloudwatch_event_bus" "security_bus" {
  name = "security-events"
  
  tags = {
    Purpose = "Security event aggregation"
  }
}

# SECURE: Lambda function for IMDS security analysis
resource "aws_lambda_function" "imds_security_analyzer" {
  filename         = "imds_analyzer.zip"
  function_name    = "imds-security-analyzer"
  role            = aws_iam_role.lambda_analyzer_role.arn
  handler         = "lambda_function.lambda_handler"
  source_code_hash = data.archive_file.imds_analyzer.output_base64sha256
  runtime         = "python3.9"
  timeout         = 300
  
  environment {
    variables = {
      SECURITY_TABLE_NAME = aws_dynamodb_table.security_events.name
      SNS_TOPIC_ARN      = aws_sns_topic.security_alerts.arn
      SLACK_WEBHOOK_URL  = var.slack_webhook_url
    }
  }
  
  # VPC configuration for database access
  vpc_config {
    subnet_ids         = aws_subnet.private_subnets[*].id
    security_group_ids = [aws_security_group.lambda_sg.id]
  }
}

# SECURE: Lambda analyzer code
data "archive_file" "imds_analyzer" {
  type        = "zip"
  output_path = "imds_analyzer.zip"
  
  source {
    content = <<EOF
import json
import boto3
import os
from datetime import datetime, timedelta
import requests
from botocore.exceptions import ClientError

dynamodb = boto3.resource('dynamodb')
sns = boto3.client('sns')
ec2 = boto3.client('ec2')
security_table = dynamodb.Table(os.environ['SECURITY_TABLE_NAME'])

def lambda_handler(event, context):
    """
    Analyze IMDS-related security events and generate alerts
    """
    
    try:
        # Parse the incoming event
        if 'Records' in event:
            for record in event['Records']:
                if record['eventSource'] == 'aws:logs':
                    # CloudWatch Logs event
                    log_data = json.loads(record['awslogs']['data'])
                    analyze_log_events(log_data['logEvents'])
                
                elif record['eventSource'] == 'aws:s3':
                    # CloudTrail log file
                    bucket = record['s3']['bucket']['name']
                    key = record['s3']['object']['key']
                    analyze_cloudtrail_logs(bucket, key)
        
        # Perform periodic security analysis
        analyze_imds_security_posture()
        
        return {
            'statusCode': 200,
            'body': json.dumps('Analysis completed successfully')
        }
        
    except Exception as e:
        print(f"Error in IMDS security analysis: {str(e)}")
        send_alert(f"IMDS Security Analyzer Error: {str(e)}", "HIGH")
        
        return {
            'statusCode': 500,
            'body': json.dumps(f'Error: {str(e)}')
        }

def analyze_log_events(log_events):
    """Analyze CloudWatch log events for IMDS access patterns"""
    
    suspicious_patterns = [
        '169.254.169.254',
        'latest/meta-data',
        'computeMetadata/v1',
        'metadata/identity/oauth2/token',
        'iam/security-credentials',
        'service-accounts/default/token'
    ]
    
    for event in log_events:
        message = event.get('message', '')
        timestamp = event.get('timestamp', 0)
        
        # Check for suspicious patterns
        for pattern in suspicious_patterns:
            if pattern in message.lower():
                security_event = {
                    'event_id': f"imds-{timestamp}-{hash(message)}",
                    'timestamp': datetime.fromtimestamp(timestamp/1000).isoformat(),
                    'event_type': 'IMDS_ACCESS_ATTEMPT',
                    'severity': 'HIGH',
                    'source': 'CloudWatch Logs',
                    'details': {
                        'pattern_matched': pattern,
                        'log_message': message,
                        'log_timestamp': timestamp
                    }
                }
                
                store_security_event(security_event)
                
                # Check if this is part of a larger pattern
                if is_attack_pattern(security_event):
                    trigger_incident_response(security_event)

def analyze_cloudtrail_logs(bucket, key):
    """Analyze CloudTrail logs for IMDS-related API calls"""
    
    s3 = boto3.client('s3')
    
    try:
        # Download and parse CloudTrail log file
        response = s3.get_object(Bucket=bucket, Key=key)
        log_content = response['Body'].read()
        
        # Parse JSON log records
        log_data = json.loads(log_content)
        
        for record in log_data.get('Records', []):
            analyze_api_call(record)
            
    except Exception as e:
        print(f"Error analyzing CloudTrail logs: {e}")

def analyze_api_call(record):
    """Analyze individual API call for security concerns"""
    
    event_name = record.get('eventName', '')
    source_ip = record.get('sourceIPAddress', '')
    user_identity = record.get('userIdentity', {})
    
    # Suspicious API calls
    suspicious_apis = [
        'ModifyInstanceMetadataOptions',
        'DescribeInstanceAttribute',
        'GetRole',
        'AssumeRole',
        'GetSessionToken'
    ]
    
    if event_name in suspicious_apis:
        security_event = {
            'event_id': f"api-{record.get('eventTime')}-{record.get('awsRequestId')}",
            'timestamp': record.get('eventTime'),
            'event_type': 'SUSPICIOUS_API_CALL',
            'severity': 'MEDIUM',
            'source': 'CloudTrail',
            'details': {
                'api_call': event_name,
                'source_ip': source_ip,
                'user_identity': user_identity,
                'request_parameters': record.get('requestParameters', {})
            }
        }
        
        store_security_event(security_event)

def analyze_imds_security_posture():
    """Analyze overall IMDS security posture"""
    
    try:
        # Check EC2 instances for IMDS configuration
        instances = ec2.describe_instances()['Reservations']
        
        vulnerable_instances = []
        
        for reservation in instances:
            for instance in reservation['Instances']:
                instance_id = instance['InstanceId']
                metadata_options = instance.get('MetadataOptions', {})
                
                # Check for vulnerabilities
                if (metadata_options.get('HttpTokens') != 'required' or
                    metadata_options.get('HttpPutResponseHopLimit', 2) > 1):
                    
                    vulnerable_instances.append({
                        'instance_id': instance_id,
                        'state': instance['State']['Name'],
                        'metadata_options': metadata_options
                    })
        
        # Generate security report
        if vulnerable_instances:
            security_event = {
                'event_id': f"posture-{datetime.now().isoformat()}",
                'timestamp': datetime.now().isoformat(),
                'event_type': 'SECURITY_POSTURE_VIOLATION',
                'severity': 'HIGH',
                'source': 'Security Posture Analysis',
                'details': {
                    'vulnerable_instance_count': len(vulnerable_instances),
                    'vulnerable_instances': vulnerable_instances
                }
            }
            
            store_security_event(security_event)
            send_alert(
                f"Found {len(vulnerable_instances)} instances with vulnerable IMDS configuration",
                "HIGH"
            )
    
    except Exception as e:
        print(f"Error in security posture analysis: {e}")

def is_attack_pattern(security_event):
    """Determine if event is part of a larger attack pattern"""
    
    # Look for multiple events from the same source in short time window
    try:
        response = security_table.query(
            IndexName='TimestampIndex',
            KeyConditionExpression=boto3.dynamodb.conditions.Key('timestamp').between(
                (datetime.now() - timedelta(hours=1)).isoformat(),
                datetime.now().isoformat()
            ),
            FilterExpression=boto3.dynamodb.conditions.Attr('event_type').eq('IMDS_ACCESS_ATTEMPT')
        )
        
        # If more than 5 IMDS access attempts in the last hour, consider it an attack
        return len(response['Items']) > 5
        
    except Exception as e:
        print(f"Error checking attack pattern: {e}")
        return False

def store_security_event(security_event):
    """Store security event in DynamoDB"""
    
    try:
        security_table.put_item(Item=security_event)
    except Exception as e:
        print(f"Error storing security event: {e}")

def trigger_incident_response(security_event):
    """Trigger automated incident response"""
    
    # Create incident ticket
    incident_data = {
        'title': f"Potential IMDS Attack Detected - {security_event['event_id']}",
        'severity': 'HIGH',
        'description': f"Multiple IMDS access attempts detected: {json.dumps(security_event, indent=2)}",
        'timestamp': security_event['timestamp']
    }
    
    # Send to incident management system
    send_alert(
        f"🚨 INCIDENT: Potential IMDS attack pattern detected\n{json.dumps(incident_data, indent=2)}",
        "CRITICAL"
    )
    
    # Auto-remediation actions could go here
    # - Block suspicious IP addresses
    # - Modify instance metadata options
    # - Isolate affected instances

def send_alert(message, severity):
    """Send alert via SNS and Slack"""
    
    try:
        # Send SNS notification
        sns.publish(
            TopicArn=os.environ['SNS_TOPIC_ARN'],
            Subject=f"IMDS Security Alert - {severity}",
            Message=message
        )
        
        # Send Slack notification if webhook URL is provided
        slack_webhook = os.environ.get('SLACK_WEBHOOK_URL')
        if slack_webhook:
            slack_data = {
                'text': f"IMDS Security Alert",
                'attachments': [{
                    'color': 'danger' if severity in ['HIGH', 'CRITICAL'] else 'warning',
                    'fields': [{
                        'title': f'Severity: {severity}',
                        'value': message,
                        'short': False
                    }]
                }]
            }
            
            requests.post(slack_webhook, json=slack_data)
    
    except Exception as e:
        print(f"Error sending alert: {e}")
EOF
    filename = "lambda_function.py"
  }
}

# SECURE: DynamoDB table for security events
resource "aws_dynamodb_table" "security_events" {
  name           = "imds-security-events"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "event_id"
  
  attribute {
    name = "event_id"
    type = "S"
  }
  
  attribute {
    name = "timestamp"
    type = "S"
  }
  
  global_secondary_index {
    name     = "TimestampIndex"
    hash_key = "timestamp"
  }
  
  # Enable point-in-time recovery
  point_in_time_recovery {
    enabled = true
  }
  
  # Enable encryption
  server_side_encryption {
    enabled     = true
    kms_key_arn = aws_kms_key.dynamodb_key.arn
  }
  
  tags = {
    Purpose = "IMDS security event storage"
  }
}

# SECURE: CloudWatch dashboard for IMDS security monitoring
resource "aws_cloudwatch_dashboard" "imds_security_dashboard" {
  dashboard_name = "IMDS-Security-Monitoring"
  
  dashboard_body = jsonencode({
    widgets = [
      {
        type   = "metric"
        x      = 0
        y      = 0
        width  = 12
        height = 6
        
        properties = {
          metrics = [
            ["Security/IMDS", "IMDSAccessAttempts"],
            [".", "SuspiciousAPIRequests"],
            [".", "VulnerableInstances"]
          ]
          view    = "timeSeries"
          stacked = false
          region  = data.aws_region.current.name
          title   = "IMDS Security Metrics"
          period  = 300
        }
      },
      {
        type   = "log"
        x      = 0
        y      = 6
        width  = 24
        height = 6
        
        properties = {
          query   = "SOURCE '${aws_cloudwatch_log_group.imds_security_logs.name}' | fields @timestamp, @message | filter @message like /169.254.169.254/ | sort @timestamp desc | limit 100"
          region  = data.aws_region.current.name
          title   = "Recent IMDS Access Attempts"
        }
      },
      {
        type   = "number"
        x      = 0
        y      = 12
        width  = 6
        height = 6
        
        properties = {
          metrics = [
            ["Security/IMDS", "VulnerableInstances"]
          ]
          view   = "singleValue"
          region = data.aws_region.current.name
          title  = "Vulnerable Instances"
        }
      },
      {
        type   = "number"
        x      = 6
        y      = 12
        width  = 6
        height = 6
        
        properties = {
          metrics = [
            ["Security/IMDS", "IMDSAccessAttempts", { "stat": "Sum" }]
          ]
          view   = "singleValue"
          region = data.aws_region.current.name
          title  = "Total Access Attempts (24h)"
        }
      }
    ]
  })
}

# SECURE: Automated incident response playbook
resource "aws_ssm_document" "imds_incident_response" {
  name          = "IMDS-Incident-Response-Playbook"
  document_type = "Automation"
  document_format = "YAML"
  
  content = <<DOC
schemaVersion: '0.3'
description: 'Automated response to IMDS security incidents'
assumeRole: '${aws_iam_role.incident_response_role.arn}'
parameters:
  InstanceId:
    type: String
    description: 'EC2 Instance ID to remediate'
  Severity:
    type: String
    description: 'Incident severity level'
    allowedValues: ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL']
mainSteps:
- name: 'ValidateInstance'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'ec2'
    Api: 'DescribeInstances'
    InstanceIds:
    - '{{ InstanceId }}'
  outputs:
  - Name: 'InstanceState'
    Selector: '$.Reservations[0].Instances[0].State.Name'
    Type: 'String'
    
- name: 'CheckIMDSConfiguration'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'ec2'
    Api: 'DescribeInstanceAttribute'
    InstanceId: '{{ InstanceId }}'
    Attribute: 'instanceInitiatedShutdownBehavior'
  
- name: 'RemediateIMDSv2'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'ec2'
    Api: 'ModifyInstanceMetadataOptions'
    InstanceId: '{{ InstanceId }}'
    HttpTokens: 'required'
    HttpPutResponseHopLimit: 1
  
- name: 'IsolateInstance'
  action: 'aws:executeAwsApi'
  when:
    StringEquals:
    - '{{ Severity }}'
    - 'CRITICAL'
  inputs:
    Service: 'ec2'
    Api: 'ModifyInstanceAttribute'
    InstanceId: '{{ InstanceId }}'
    Groups:
    - '${aws_security_group.isolation_sg.id}'
    
- name: 'NotifySecurityTeam'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'sns'
    Api: 'Publish'
    TopicArn: '${aws_sns_topic.security_alerts.arn}'
    Subject: 'IMDS Incident Response Completed'
    Message: |
      Automated remediation completed for instance {{ InstanceId }}
      Severity: {{ Severity }}
      Actions taken:
      - Enforced IMDSv2
      - Limited hop count to 1
      {% if Severity == 'CRITICAL' %}
      - Isolated instance with restricted security group
      {% endif %}
DOC
}