lacework-global-384
Auto Scaling group launch configurations should configure Elastic Compute Cloud (EC2) instances to require Instance Metadata Service Version 2 (IMDSv2) (Automated)
De
Instance Metadata Service (IMDS) provides data about your instance that you can use to configure or manage the running instance.
Version 2 of the IMDS adds new protections that were not available in IMDSv1 to further safeguard your EC2 instances.
Remediation
To configure IDMSv2 as the default for a given region:
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Compute > EC2.
- Under Account attributes, click Data protection and security.
- Under IMDS defaults, click Manage.
- Set the following values:
- Under Instance metadata service, choose Enabled.
- Under Metadata version, choose V2 only (token required).
- Under Metadata response hop limit, choose either 2 (if your instances are hosting containers), otherwise select the No preference checkbox.
- Click Update.
From CLI:
Use the following command if your instances are hosting containers:
aws ec2 modify-instance-metadata-defaults --region <region> --http-tokens required --http-put-response-hop-limit 2
Otherwise, use the following command:
aws ec2 modify-instance-metadata-defaults --region <region> --http-tokens required --http-put-response-hop-limit -1
note
-1 signifies no preference for the hop limit
To configure the instance at launch:
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Compute > EC2.
- Click Launch Instance.
- Under Advanced details, set Metadata version to V2 only (token required).
- Fill out the remaining details, and click Launch instance.
From CLI:
aws ec2 run-instances --image-id <ami_image_id> --instance-type <instance_type> --metadata-options "HttpEndpoint=enabled,HttpTokens=required"
References
https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-3
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html