Description:
EC2 contains metadata on how this metadata is accessed. AWS Instance Metadata Service (IMDS) provides a convenient way to access metadata about a running EC2 instance, such as hostname, network configuration, security groups, etc. It is accessible only from within the instance. IMDSv2 is based on session-based authentication. IMDSv2 uses session-oriented requests.
Rationale:
AWS EC2 Instance Metadata Service (IMDSv2) is used for improving security and adding an additional defense in depth layer. It uses token-based authentication for requesting data from the endpoint, and in order to get the token, a separate PUT request has to be made.
Impact:
IMDSv2 configuration will help to protect against a misconfigured web application firewall (WAF) that allows requests to EC2 instances.
Default Value:
IMDSv2 will be disabled by default.
Pre-Requisite:
An EC2 instance in running state
Remediation:
Test Plan:
AWS Console Process
You can't use the Amazon EC2 console for existing instance metadata options. You can opt in to require that IMDSv2 be used when requesting instance metadata.
Using AWS CLI
aws ec2 describe-instances \
--instance-ids <instance id> \
--metadata-options.http-endpoint
Implementation Steps:
AWS Console Process
You can't use the Amazon EC2 console for existing instance to modify metadata options. You can opt in to require that IMDSv2 is used when requesting instance metadata.
For new EC2 instance
Login to AWS console and select EC2 in the home pane.
Select Instances in the left pane
- Click on Launch instances to launch a new instance
- Give the required name for the instance and desired OS, instance type, security groups as needed.
- Under Advanced details select Metadata accessible Enabled and Metadata version to V2only.
- Click on launch instance.
Using AWS CLI
The following modify-instance-metadata-options
example configures the use of IMDSv2 on the specified instance.
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567898abcdef0 \
--http-tokens required \
--http-endpoint enabled
Command to launch a new instance with metadata enabled IMDSv2
aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--instance-type t2.micro \
--subnet-id subnet-08fc749671b2d077c \
--security-group-ids sg-0b0384b66d7d692f9 \
--key-name MyKeyPair
--metadata-options enabled
--http-tokens required \
--http-endpoint enabled
Backout Plan:
AWS Console Process
You can't use the Amazon EC2 console for an existing instance to modify metadata options. You can opt in to require that IMDSv2 be used when requesting instance metadata.
Using AWS CLI
To disable IMDSv2 from EC2
aws ec2 modify-instance-metadata-options \
--instance-id < Instance Id > \
--http-endpoint enabled \
Reference:
Retrieve instance metadata - Amazon Elastic Compute Cloud
Use IMDSv2 - Amazon Elastic Compute Cloud
Modify instance metadata options for existing instances - Amazon Elastic Compute Cloud