Profile Applicability:

  • Level 1

Description:

The Instance Metadata Service (IMDS) provides information about the EC2 instance such as instance ID, security groups, and IAM roles associated with it. IMDSv2 (Instance Metadata Service Version 2) introduces additional security by requiring session tokens to be used when making metadata requests. Enforcing IMDSv2 for EC2 instances at the account level helps to mitigate the risks associated with SSRF (Server-Side Request Forgery) attacks, where an attacker might exploit the metadata service to gain unauthorized access to sensitive information. By default, EC2 instances use IMDSv1, which is less secure. Enforcing IMDSv2 ensures better protection of metadata and credentials from potential exploits.

Rationale:

SSRF attacks occur when an attacker can send crafted requests to the instance metadata endpoint. This can result in unauthorized access to sensitive instance information, including IAM roles and security credentials. IMDSv2 requires the use of a session token, making it harder for malicious applications to access metadata without valid authentication. Enforcing IMDSv2 at the account level helps to protect against this vulnerability by ensuring that metadata is only accessible with the proper session token.

Impact:

Pros:

  • Enhanced Security: IMDSv2 makes it harder for attackers to exploit EC2 instance metadata.

  • Prevents SSRF Attacks: It effectively mitigates the risk of SSRF by requiring session-based authentication.

  • Compliance with Security Standards: Helps meet security standards and frameworks by enforcing best practices for metadata access.

Cons:

  • Compatibility Issues: Some legacy applications might not support IMDSv2, requiring updates to work properly.

  • Initial Setup Overhead: Enforcing IMDSv2 might require configuration changes, especially in environments with a large number of EC2 instances.

Default Value:

By default, EC2 instances can use IMDSv1, which is less secure. If no configuration changes are made, metadata requests can be made without session tokens, potentially exposing metadata to SSRF attacks. IMDSv2 must be explicitly enabled and enforced for better security.

Pre-requisite:

  • AWS IAM permissions:

    • ec2:DescribeInstances

    • ec2:ModifyInstanceMetadataOptions

  • AWS CLI installed and configured.

  • Basic knowledge of EC2 Instance Metadata Service and how to configure it.

  • Familiarity with Server-Side Request Forgery (SSRF) vulnerabilities.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

     

  1. Select an EC2 instance that you want to check for IMDSv2 enforcement.

           

  1. In the Description tab, locate the Metadata Options section.

   

  1. Check if Instance Metadata Service (IMDS) is set to IMDSv2:

    • If IMDSv1 is enabled, modify the configuration to enforce IMDSv2.

               

  1. To ensure that IMDSv2 is enforced at the account level, go to EC2 Settings and check for any account-wide metadata options enforced through AWS Organizations or automation tools like AWS Config.

Using AWS CLI:

To check the metadata settings of an EC2 instance, run the following command:

aws ec2 describe-instances --instance-id <instance-id> --query 'Reservations[*].Instances[*].MetadataOptions'

 The expected output should show:

{

    "HttpTokens": "required",

    "HttpPutResponseHopLimit": 1,

    "HttpEndpoint": "enabled"

}

To enforce IMDSv2 on an EC2 instance, modify the metadata settings using the following command:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required

This sets the HttpTokens option to required, enforcing IMDSv2.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

     

  1. Select the EC2 instance for which you want to enforce IMDSv2.

     

  1. In the Description tab, under Metadata Options.

   

  1. Set Instance Metadata Service (IMDS) to IMDSv2.

     

  1. Save the changes.

   

  1. To enforce at the account level, use AWS Config or AWS Organizations to define IMDSv2 as a policy requirement across all instances.

Using AWS CLI:

Run the following command to enforce IMDSv2 for an EC2 instance:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required

To enforce IMDSv2 across multiple instances or at the account level, use AWS Config rules or automation scripts to ensure the configuration is applied consistently.

Backout Plan:

If enforcing IMDSv2 causes application or connectivity issues, revert the metadata configuration by setting the HttpTokens option back to optional (i.e., enabling IMDSv1):

Identify the affected EC2 instances.

Revert the metadata settings:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens optional

Verify that the instances are functioning as expected and the metadata service is accessible without requiring tokens.

Document the restoration actions for auditing and compliance purposes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.