Profile Applicability:

Level 1

Description:

When enabling the Metadata Service on AWS EC2 instances, users can choose between:

  • IMDSv1 (Request/Response Model)

  • IMDSv2 (Session-Oriented Model)

IMDSv2 enforces session-based authentication for metadata retrieval, enhancing security by mitigating Server-Side Request Forgery (SSRF) risks. Amazon recommends using IMDSv2 for improved instance security.

Rationale:

The EC2 Instance Metadata Service (IMDS) allows applications running on an instance to retrieve instance metadata and credentials. IMDSv1 allows unauthenticated, repeated metadata requests, which can be exploited through SSRF vulnerabilities.
IMDSv2 requires:

  • Session-Based Authentication: Each request must be associated with an active session.

  • Reduced Attack Surface: Prevents unauthorized access to metadata from malicious code or exploited applications.

Using IMDSv1 exposes instances to SSRF attacks, making it essential to require IMDSv2.

Impact:

  • Failure to enforce IMDSv2 can lead to potential SSRF exploits, where attackers can retrieve IAM role credentials and access AWS resources.

  • Instances using IMDSv1 remain vulnerable, leading to possible data leaks and privilege escalation.

Default Value:

By default, AWS allows both IMDSv1 and IMDSv2 for instances unless explicitly configured.

Pre-Requisites:

  1. AWS CLI Installed (for command-line operations).

  2. IAM Permissions Required:

    • ec2:DescribeInstances (for auditing).

    • ec2:ModifyInstanceMetadataOptions (for remediation).

  3. Access to AWS Management Console with permissions to modify EC2 instance settings.

  4. AWS Regions Identified where instances need to be evaluated and updated.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard: AWS EC2 Console.

  3. In the left navigation panel, under INSTANCES, select Instances.

  4. Choose the EC2 instance to examine.

  5. Under Metadata Options, ensure IMDSv2 is set to Required.

Implementation Steps:
Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard: AWS EC2 Console.

  3. In the left navigation panel, under INSTANCES, select Instances.

  4. Choose the EC2 instance to modify.

  5. Click Actions → Instance Settings → Modify instance metadata options.

  6. Set:

    • Instance metadata service: Enable

    • IMDSv2: Required

  7. Click Save changes.

  8. Repeat for all applicable instances in all AWS regions.

Backout Plan:

If disabling IMDSv1 causes application issues:

  1. Re-enable IMDSv1 temporarily:

    aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens optional --region <region-name>

  2. Investigate application dependencies on IMDSv1.

  3. Update application configurations to support IMDSv2 authentication.

  4. Re-enforce IMDSv2 once fixes are applied.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.8

Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

CIS v7

5.2

Maintain Secure Images for enterprise systems