Profile Applicability:
- Level 2
Description:
Ensure that Instance Metadata Service Version 2 (IMDSv2) is enforced on all running Amazon EC2 instances. IMDSv2 uses session-based tokens to secure access to EC2 instance metadata, providing a more secure way to manage metadata access compared to IMDSv1. This policy enforces IMDSv2 to improve security by restricting unauthorized access to instance metadata.
Rationale:
The Instance Metadata Service (IMDS) is used by EC2 instances to access instance-specific metadata, such as instance ID, security groups, and IAM roles. IMDSv1 is vulnerable to certain attacks like SSR (Server-Side Request Forgery), which allows attackers to retrieve sensitive metadata if the instance is compromised. IMDSv2 provides better security by using session-based tokens to protect metadata access.
Enforcing IMDSv2 helps:
Mitigate security risks by ensuring that only authorized requests can access EC2 metadata.
Enhance the security posture of EC2 instances, preventing unauthorized data extraction.
Ensure compliance with best practices for instance metadata security.
Impact:
Pros:
Improved security by enforcing token-based authentication for accessing instance metadata.
Reduces the risk of data leaks or attacks using SSR techniques.
Ensures compliance with more secure AWS configurations and standards.
Cons:
Compatibility issues: Applications or processes that rely on IMDSv1 may break if they are not upgraded to support IMDSv2.
Potential service disruptions if applications are not properly configured to handle IMDSv2.
Default Value:
By default, EC2 instances may be launched with IMDSv1 or IMDSv2 as optional, which means IMDSv1 is allowed unless changed. However, IMDSv2 must be explicitly enforced.
Pre-requisites:
AWS IAM permissions to view and modify EC2 instance metadata options:
ec2:DescribeInstances, ec2:ModifyInstanceMetadataOptions
Remediation:
Test Plan:
Using AWS Console:
At this time, instance metadata settings can only be reviewed and modified using the AWS CLI.
Using AWS CLI:
Run the following command to list instances with IMDSv1 enabled:
aws ec2 describe-instances --region us-east-1 --output text --filters "Name=metadata-options.http-tokens,Values=optional" --query "Reservations[*].Instances[*].{Instance:InstanceId}"The output should display a list of instances that have IMDSv1 or IMDSv2 set to optional, meaning both versions are enabled. These instances need to be updated to enforce IMDSv2.
Implementation Plan:
Using AWS Console:
Instance metadata settings can only be updated via AWS CLI for existing instances. Ensure that you follow the steps below using the CLI.
Using AWS CLI:
To enforce IMDSv2 on the EC2 instance, run the following command:
aws ec2 modify-instance-metadata-options --instance-id i-1234567abcdefghi0 --http-tokens required --http-endpoint enabled
This will set IMDSv2 to required and ensure that the HTTP endpoint is enabled for accessing instance metadata.
The command will output the metadata changes as follows:
{ "InstanceId": "i-1234567abcdefghi0", "InstanceMetadataOptions": { "State": "pending", "HttpTokens": "required", "HttpPutResponseHopLimit": 1, "HttpEndpoint": "enabled" } }
Repeat the command for each instance and region identified in the audit.
Backout Plan:
Using AWS Console:
If enforcing IMDSv2 causes compatibility issues with applications, the metadata settings can be reverted by changing the option back to optional (allowing IMDSv1 or IMDSv2).
Using AWS CLI:
To revert back to allowing both IMDSv1 and IMDSv2, run the following command:
aws ec2 modify-instance-metadata-options --instance-id i-1234567abcdefghi0 --http-tokens optional --http-endpoint enabled
Verify the change by re-running the describe-instances command to ensure the settings have been updated properly.
References:
CIS Controls: