Part of plan #15. Phase 6 — Security Defaults.
Problem
The action runs EC2 instances configured entirely by the consumer's inputs (subnet-id, security-group-id, ec2-image-filters). It does nothing to encourage or enforce secure defaults:
- Consumers can (and do) run runners in public subnets with broadly-permissive SGs.
- No guidance on IMDSv2 enforcement — runners are network-reachable attack targets until they register, and IMDSv1 allows SSRF-style credential exfiltration.
- No guidance on encrypted EBS root volumes.
Proposed changes
Documentation
New docs/security-defaults.md covering:
- Subnet choice. Prefer private subnet + NAT gateway (or VPC endpoints for
ec2, s3, github.com). Public subnets + EIPs only if there's a specific need (e.g., IP allowlisting at a third-party API).
- Security group. Outbound-only; inbound SSH blocked; no 0.0.0.0/0 ingress. Example TF snippet.
- IMDSv2. Set
HttpTokens: required + HttpPutResponseHopLimit: 1 on RunInstances. Mitigates SSRF → IAM credential theft.
- EBS encryption. Set
BlockDeviceMappings[*].Ebs.Encrypted: true. Protects data at rest.
- Instance profile. Pass
iam-role-name only for jobs that need AWS access from within the runner. For self-contained jobs (like the provider's make testacc), skip it.
Code changes
- Set IMDSv2 required unconditionally in
RunInstances params. This is a reasonable hard default — IMDSv1 has no legitimate modern use case. If anyone complains, add an opt-out input.
- Set EBS encryption on the root volume unconditionally. Adds no cost and is a reasonable default.
- Add an input
http-tokens (default required) so a consumer can override if they must.
Consumer impact (terraform-provider-namecheap)
- Current SG
sg-106ec76d, subnet subnet-01c4ff5a, EIP eipalloc-1796f61b — needs review against the documented defaults. EIP + public subnet is presumably for Namecheap API IP allowlisting (the acceptance_test job hits api.namecheap.com).
- IMDSv2 requirement: should be transparent.
aws-sdk clients and SSM agent all support IMDSv2.
- EBS encryption: transparent.
Acceptance criteria
Part of plan #15. Phase 6 — Security Defaults.
Problem
The action runs EC2 instances configured entirely by the consumer's inputs (
subnet-id,security-group-id,ec2-image-filters). It does nothing to encourage or enforce secure defaults:Proposed changes
Documentation
New
docs/security-defaults.mdcovering:ec2,s3,github.com). Public subnets + EIPs only if there's a specific need (e.g., IP allowlisting at a third-party API).HttpTokens: required+HttpPutResponseHopLimit: 1on RunInstances. Mitigates SSRF → IAM credential theft.BlockDeviceMappings[*].Ebs.Encrypted: true. Protects data at rest.iam-role-nameonly for jobs that need AWS access from within the runner. For self-contained jobs (like the provider'smake testacc), skip it.Code changes
RunInstancesparams. This is a reasonable hard default — IMDSv1 has no legitimate modern use case. If anyone complains, add an opt-out input.http-tokens(defaultrequired) so a consumer can override if they must.Consumer impact (
terraform-provider-namecheap)sg-106ec76d, subnetsubnet-01c4ff5a, EIPeipalloc-1796f61b— needs review against the documented defaults. EIP + public subnet is presumably for Namecheap API IP allowlisting (theacceptance_testjob hitsapi.namecheap.com).aws-sdkclients and SSM agent all support IMDSv2.Acceptance criteria
docs/security-defaults.mdexists with concrete TF + workflow examples.http-tokensinput provides override.docs/security-defaults.mdfrom the Usage section.