Profile Applicability:

  • Level 1

Description:

Amazon EC2 Instance Metadata Service (IMDS) provides EC2 instances with metadata about themselves, including instance identity, network information, and IAM role credentials. IMDSv2 is a more secure version of IMDS that introduces session tokens for accessing metadata. Enabling and requiring IMDSv2 for all EC2 instances ensures that unauthorized access to sensitive metadata is prevented, especially from SSRF (Server-Side Request Forgery) attacks. This SOP outlines how to check if IMDSv2 is enabled and required for EC2 instances.

Rationale:

IMDSv2 enhances security by requiring a session token for all metadata requests. IMDSv1, which doesn't require session tokens, can be exploited in SSRF attacks, allowing attackers to access sensitive instance data. Enforcing IMDSv2 for all EC2 instances ensures better security for metadata access, thereby mitigating these risks.

Impact:

Pros:

  • Improved Security: IMDSv2 reduces the attack surface by requiring a session token for metadata access.

  • Compliance: Aligns with security best practices by enforcing stricter authentication for metadata access.

  • Prevents Exploits: Mitigates SSRF vulnerabilities that could expose sensitive metadata.

Cons:

  • Compatibility Issues: Some legacy applications might not support IMDSv2 and might require modification to handle session tokens.

  • Configuration Overhead: New instances or launch templates must be configured to require IMDSv2.

Default Value:

By default, EC2 instances use IMDSv1. If IMDSv2 is not explicitly enabled and required, instances are vulnerable to SSRF attacks.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeInstances

    • ec2:ModifyInstanceMetadataOptions

  • AWS CLI installed and configured.

  • Basic understanding of EC2 Instance Metadata Service and IMDSv2 configuration.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

   

  1. In the Instances section, select an EC2 instance to verify its metadata options.

   

  1. In the Description tab, locate the Metadata Options section.

 

  1. Verify the HttpTokens setting:

    • If HttpTokens is set to required, then IMDSv2 is enabled and required.

    • If HttpTokens is set to optional, then IMDSv1 is still enabled and is not secure.

   

  1. To modify the instance metadata options, click Modify and set HttpTokens to required.

Using AWS CLI:

To check if IMDSv2 is enabled and required for an instance, run:

aws ec2 describe-instances --instance-id <instance-id> --query 'Reservations[*].Instances[*].MetadataOptions'

 Expected output:

{

  "HttpTokens": "required",

  "HttpPutResponseHopLimit": 1,

  "HttpEndpoint": "enabled"

}

If IMDSv2 is not enabled (i.e., HttpTokens is set to optional), modify the instance metadata options:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

       

  1. Go to Instances and select the EC2 instance you wish to check.

     

  1. Under the Description tab, locate the Metadata Options section.

   

  1. Ensure that the HttpTokens field is set to required (this will enforce IMDSv2).

     

  1. If the IMDSv2 setting is not enabled, click Modify and set HttpTokens to required.

   

  1. Save the changes.

Using AWS CLI:

Run the following command to verify the Metadata Options for an instance:

aws ec2 describe-instances --instance-id <instance-id> --query 'Reservations[*].Instances[*].MetadataOptions

If IMDSv2 is not enabled, modify the metadata options with:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required

Confirm that IMDSv2 is enabled by checking the metadata options again:

aws ec2 describe-instances --instance-id <instance-id> --query 'Reservations[*].Instances[*].MetadataOptions'

Backout Plan:

If enabling IMDSv2 causes compatibility issues with applications or services:

Identify the affected EC2 instances.

Modify the metadata options to revert to IMDSv1 by setting HttpTokens to optional:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens optional

Verify that the instances are functioning as expected and the metadata service is accessible.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.