Skip to main content

lacework-global-810

EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) (Automated)

Description

This policy checks for use of EC2 Instance Metadata Service Version 2 (IMDSv2). The policy fails when the value for HttpTokens is optional.

Instance metadata configures or manages the running instance. The Instance Metadata Service (IMDS) provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically.

Every EC2 instance has the IMDS attached locally. It runs on a special "link local" IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.

Version 2 of the IMDS adds new protections for the following types of vulnerabilities. Exploiters may use these vulnerabilities to try to access the IMDS.

  • Open website application firewalls
  • Open reverse proxies
  • Server-Side Request Forgery (SSRF) vulnerabilities
  • Open Layer 3 firewalls and Network Address Translation (NAT)

Remediation

From the AWS console:

For a new EC2 instance:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Compute > EC2.
  4. In the left pane, under Instances, click Instances.
  5. Click the Launch instances button.
  6. Expand the Advanced details section.
  7. Set Metadata accessible to Enabled and Metadata version to V2 only (token required).
  8. Configure the EC2 instance as required.
  9. Click Launch instance.

For an existing EC2 instance:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Compute > EC2.
  4. In the left pane, under Instances, click Instances.
  5. Select the instance to be update, and click Actions > Instance settings > Modify instance metadata options.
  6. In the pop-up window, set IMDSv2 to Required.
  7. Click Save.

From CLI:

For a new EC2 instance:

aws ec2 run-instance --metadata-options HttpTokens=required

For an existing EC2 instance:

aws ec2 modify-instance-metadata-options --instance-id <instance_id> --http-tokens required

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html#recommended-path-for-requiring-imdsv2
https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-transit-gateway.html

Last updated on