Profile Applicability

  • Level 1

Description:

The Instance Metadata Service (IMDS) provides metadata about an EC2 instance, such as instance ID, security groups, and public IP address. IMDSv2 is a more secure version of the Instance Metadata Service, requiring token-based authentication. This SOP ensures that Auto Scaling groups use IMDSv2 for enhanced security by preventing SSRF (Server Side Request Forgery) attacks and unauthorized access to sensitive metadata.

Rationale:

  • Security: IMDSv2 improves security by requiring a session token to access instance metadata, protecting against attacks like SSRF (Server Side Request Forgery), which can exploit the Instance Metadata Service to gain unauthorized access to sensitive instance data.

  • Best Practices: The AWS shared responsibility model ensures that AWS and customers both play a role in securing infrastructure. By enforcing IMDSv2, organizations can reduce the attack surface of their EC2 instances.

  • Compliance: Many security frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require the use of secure metadata services to prevent unauthorized access to instance metadata.

Impact:

Pros:

  • Enhanced Security: Ensures that instance metadata can only be accessed with a valid token, mitigating SSRF attack risks.

  • Compliance: Meets security requirements for metadata access control, which helps with compliance for many standards.

  • Attack Surface Reduction: IMDSv2 significantly reduces the potential for metadata leaks or exploitation by unauthorized entities.

Cons:

  • Legacy Application Compatibility: Some legacy applications may not support IMDSv2. In such cases, they may require updates to support token-based authentication.

  • Operational Overhead: Ensuring that all instances use IMDSv2 may require additional monitoring and configuration management.

Default Value:

By default, IMDSv2 is not required for Auto Scaling group launch configurations unless explicitly enforced. EC2 instances default to using IMDSv1 unless modified to require IMDSv2.

Pre-requisite:

  • AWS IAM Permissions:

    • autoscaling:DescribeLaunchConfigurations

    • autoscaling:UpdateLaunchConfiguration

  • AWS CLI installed and configured.

  • Auto Scaling group is created with launch configurations.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Auto Scaling under Services.

  3. In the Auto Scaling Console, select Launch Configurations from the left-hand menu.

  4. Choose the launch configuration associated with your Auto Scaling group.

  5. Under the Launch Configuration Details section, check the Instance Metadata Service Version.

    • If IMDSv2 is enabled, it will show IMDSv2 as the configured version.

    • If IMDSv2 is not enabled, it will show that IMDSv1 is the default.

  6. If IMDSv2 is not enabled, follow the Implementation Steps to modify the launch configuration.

Using AWS CLI:

  1. To check if IMDSv2 is enforced for a launch configuration, run:

    aws autoscaling describe-launch-configurations --launch-configuration-names <launch-configuration-name> --query 'LaunchConfigurations[*].InstanceMetadataOptions.HttpTokens'

  2. If the output returns "required", IMDSv2 is enabled. If it returns "optional", IMDSv2 is not required.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Auto Scaling.

  2. In the Auto Scaling Console, select Launch Configurations from the left-hand menu.

  3. Select the launch configuration that you want to modify.

  4. Under the Launch Configuration Details section, click Edit.

  5. In the Instance Metadata section, select Require IMDSv2.

  6. Save the changes to ensure that IMDSv2 is required for all instances launched by this configuration.

Using AWS CLI:

  1. To modify the launch configuration to require IMDSv2, use the following command:

    aws autoscaling update-launch-configuration \
  --launch-configuration-name <launch-configuration-name> \
  --instance-metadata-options HttpTokens=required

  1. Verify that the IMDSv2 requirement has been enabled:

    aws autoscaling describe-launch-configurations --launch-configuration-names <launch-configuration-name> --query 'LaunchConfigurations[*].InstanceMetadataOptions.HttpTokens'

  2. The output should return "required" to confirm that IMDSv2 is now required for the instances launched by the configuration.

Backout Plan:

Using AWS Console:

  1. If requiring IMDSv2 causes issues, sign in to the AWS Management Console.

  2. Navigate to EC2, then to Auto Scaling Groups

  3. Select the Auto Scaling Group and go to the Launch Configuration section.

  4. Set HttpTokens to optional and HttpEndpoint to enabled to revert to IMDSv1.

  5. Save the changes and verify that the Auto Scaling Group Launch Configuration now allows IMDSv1.

Using AWS CLI:

  1. To revert to IMDSv1, run:

    aws autoscaling update-launch-configuration --launch-configuration-name <LAUNCH_CONFIG_NAME> --metadata-options "HttpTokens=optional, HttpEndpoint=enabled"

  2. Verify that IMDSv1 is now allowed:

    aws autoscaling describe-launch-configurations --launch-configuration-name <LAUNCH_CONFIG_NAME>


References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.