Description:

EC2 contains metadata on how this metadata is accessed. AWS Instance Metadata Service (IMDS) provides a convenient way to access metadata about a running EC2 instance, such as hostname, network configuration, security groups, etc. It is accessible only from within the instance. IMDSv2 is based on session-based authentication. IMDSv2 uses session-oriented requests. 

Rationale:

AWS EC2 Instance Metadata Service (IMDSv2) is used for improving security and adding an additional defense in depth layer. It uses token-based authentication for requesting data from the endpoint, and in order to get the token, a separate PUT request has to be made.

Impact:

IMDSv2 configuration will help to protect against a misconfigured web application firewall (WAF) that allows requests to EC2 instances. 

Default Value:

IMDSv2 will be disabled by default.

Pre-Requisite:

  • An EC2 instance in running state

Remediation:

Test Plan:

  • AWS Console Process

You can't use the Amazon EC2 console for existing instance metadata options. You can opt in to require that IMDSv2 be used when requesting instance metadata.

Using AWS CLI

aws ec2 describe-instances \
--instance-ids <instance id> \
--metadata-options.http-endpoint

Implementation Steps:

  • AWS Console Process

You can't use the Amazon EC2 console for existing instance to modify metadata options. You can opt in to require that IMDSv2 is used when requesting instance metadata.

  • For new EC2 instance

  1. Login to AWS console and select EC2 in the home pane.

  2. Select Instances in the left pane 

  3. Click on Launch instances to launch a new instance
  4. Give the required name for the instance and desired OS, instance type, security groups as needed.
  5. Under Advanced details select Metadata accessible Enabled and Metadata version to V2only
  6. Click on launch instance.


Using AWS CLI

The following modify-instance-metadata-options example configures the use of IMDSv2 on the specified instance.

aws ec2 modify-instance-metadata-options \
--instance-id i-1234567898abcdef0 \
--http-tokens required \
--http-endpoint enabled

Command to launch a new instance with metadata enabled IMDSv2 

aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--instance-type t2.micro \
--subnet-id subnet-08fc749671b2d077c \
--security-group-ids sg-0b0384b66d7d692f9 \
--key-name MyKeyPair
--metadata-options enabled
--http-tokens required \
--http-endpoint enabled

Backout Plan:

  • AWS Console Process

You can't use the Amazon EC2 console for an existing instance to modify metadata options. You can opt in to require that IMDSv2 be used when requesting instance metadata.

Using AWS CLI

To disable IMDSv2 from EC2