From e51f99b87b259db452bf9b0c9864d3c2ffd4e69a Mon Sep 17 00:00:00 2001
From: Hossein Rouhani <h_rouhani@hotmail.com>
Date: Thu, 18 Apr 2024 10:01:38 +0200
Subject: [PATCH] Improving Ensure EC2 instances use IMDSv2

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>
---
 core/mondoo-aws-security.mql.yaml | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml
index bae7515c..c95aac5e 100644
--- a/core/mondoo-aws-security.mql.yaml
+++ b/core/mondoo-aws-security.mql.yaml
@@ -1281,7 +1281,7 @@ queries:
       aws.s3.bucket.publicAccessBlock.IgnorePublicAcls == true
       aws.s3.bucket.publicAccessBlock.RestrictPublicBuckets == true
   - uid: mondoo-aws-security-ec2-instance-no-public-ip
-    title: Ensures no instances have a public IP
+    title: Ensure No Public IP associated with EC2 Instances
     impact: 80
     variants:
       - uid: mondoo-aws-security-ec2-instance-no-public-ip-all
@@ -1363,20 +1363,21 @@ queries:
         title: AWS Documentation - IP addressing for your VPCs and subnets
       - url: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
         title: Terraform Registry - aws_instance
-  - uid: mondoo-aws-security-ec2-imdsv2-check
-    title: Ensure EC2 instances use IMDSv2
-    impact: 80
-    variants:
-      - uid: mondoo-aws-security-ec2-imdsv2-check-all
-      - uid: mondoo-aws-security-ec2-imdsv2-check-single
   - uid: mondoo-aws-security-ec2-imdsv2-check-all
     filters: asset.platform == "aws"
     mql: |
-      aws.ec2.instances.where(httpEndpoint != "disabled").all(httpTokens == "required")
+      aws.ec2.instances.where(state != /terminated|shutting-down/ && httpEndpoint == "enabled").all(httpTokens == "required")
   - uid: mondoo-aws-security-ec2-imdsv2-check-single
     filters: |
       asset.platform == "aws-ec2-instance"
-      aws.ec2.instance.httpEndpoint != "disabled"
+      aws.ec2.instance.state != /terminated|shutting-down/
+      aws.ec2.instance.httpEndpoint == "enabled"
+  - uid: mondoo-aws-security-ec2-imdsv2-check
+    title: Ensure EC2 instances use IMDSv2
+    impact: 90
+    variants:
+      - uid: mondoo-aws-security-ec2-imdsv2-check-all
+      - uid: mondoo-aws-security-ec2-imdsv2-check-single
     mql: |
       aws.ec2.instance.httpTokens == "required"
     docs: