Profile Applicability:

  • Level 1

Description:

Amazon EC2 instances use the Instance Metadata Service (IMDS) to provide data about the instance, such as instance ID, IAM roles, and network configuration. IMDSv2 (Instance Metadata Service Version 2) enhances security by requiring session tokens for metadata requests, thereby mitigating risks associated with Server-Side Request Forgery (SSRF) attacks. This SOP ensures that IMDSv2 is enabled and required for EC2 instances launched using launch templates, enforcing more secure metadata access.

Rationale:

By enforcing IMDSv2, EC2 instances are protected against SSRF attacks, which occur when a malicious actor can send crafted HTTP requests to the instance metadata endpoint to gain unauthorized access to sensitive instance data. IMDSv2 requires the use of a session token to access instance metadata, making it more secure than IMDSv1, which does not have this additional layer of protection. Ensuring that IMDSv2 is enabled and required helps maintain a secure EC2 environment.

Impact:

Pros:

  • Enhanced Security: IMDSv2 requires session-based authentication, making metadata access more secure and resistant to SSRF attacks.

  • Compliance: Meets security best practices for instance metadata access.

  • Mitigates Risks: Reduces the chances of an attacker gaining access to sensitive instance metadata, IAM roles, and other data.

Cons:

  • Compatibility Issues: Some older applications might not support IMDSv2, requiring updates to work properly.

  • Initial Setup Overhead: Enforcing IMDSv2 might require updates to existing launch templates or EC2 instances.


Default Value:

By default, EC2 instances use IMDSv1 for metadata access unless explicitly configured to use IMDSv2. This SOP ensures that IMDSv2 is enabled and required for all EC2 instances launched through launch templates.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeLaunchTemplates

    • ec2:ModifyLaunchTemplate

  • AWS CLI installed and configured.

  • Basic understanding of EC2 Instance Metadata Service and IMDSv2 configuration.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

   

  1. In the left navigation pane, select Launch Templates under Instances.

                       

  1. For each launch template, check the Instance Metadata Service settings:

    • Select a launch template and check if the IMDSv2 setting is enabled and required.

    • If the IMDSv2 setting is not enabled, modify the template to require IMDSv2.

   

Using AWS CLI:

To list all launch templates and their associated metadata options, use the following command:

aws ec2 describe-launch-templates --query 'LaunchTemplates[*].{ID:LaunchTemplateId,Name:LaunchTemplateName,MetadataOptions:MetadataOptions}' --output table

Check the output to see if IMDSv2 is enabled and required:

  • Ensure that the HttpTokens field is set to required, which indicates IMDSv2 is enabled and required.

If IMDSv2 is not enabled, modify the launch template using the following command:

aws ec2 modify-launch-template --launch-template-id <template-id> --metadata-options HttpTokens=required

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

                   

  1. Under Launch Templates, identify the templates used to launch EC2 instances.

       

  1. For each launch template, verify if IMDSv2 is enabled and required.

  1. If IMDSv2 is not enabled, modify the launch template:

    • Under Metadata Options, set HttpTokens to required.

   

  1. Save the changes and apply them to new EC2 instances launched with this template.

Using AWS CLI:

Run the following command to describe the launch templates and check IMDSv2 status:

aws ec2 describe-launch-templates --query 'LaunchTemplates[*].{ID:LaunchTemplateId,Name:LaunchTemplateName,MetadataOptions:MetadataOptions}' --output table

If IMDSv2 is not enabled, modify the launch template to enforce IMDSv2:

aws ec2 modify-launch-template --launch-template-id <template-id> --metadata-options HttpTokens=required

Verify that the metadata options have been successfully updated using:

aws ec2 describe-launch-templates --launch-template-id <template-id> --query 'LaunchTemplates[*].MetadataOptions'

Backout Plan:

If enforcing IMDSv2 causes compatibility issues or disruptions, revert the settings as follows:

Identify the affected launch template.

Modify the launch template to allow IMDSv1 by setting the HttpTokens field to optional:

aws ec2 modify-launch-template --launch-template-id <template-id> --metadata-options HttpTokens=optional

Verify that the IMDSv1 configuration is restored and the instance functions as expected.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.