iCompaas Support

Profile Applicability

Level 1

Description

Amazon EC2 instances support two versions of the Instance Metadata Service (IMDS):

• IMDSv1: Uses a simple request/response model.
  
  

• IMDSv2: Implements a session-oriented model with temporary session tokens.
  
  

IMDSv2 enhances instance security by requiring session-based authentication before metadata can be retrieved. Amazon recommends enforcing IMDSv2 to minimize exposure to Server-Side Request Forgery (SSRF) attacks and other unauthorized metadata access.

Rationale:

The Instance Metadata Service allows software on EC2 instances to access metadata including instance identity and temporary credentials. IMDSv1 allows unrestricted metadata requests, increasing the risk of SSRF vulnerabilities.

By enforcing IMDSv2:

• Only requests with valid session tokens can access metadata.
  
  

• Applications must explicitly acquire tokens before metadata access, preventing automated or background exploitation.
  
  

• The attack surface is minimized, reducing the risk of compromised credentials or internal metadata leakage.
  
  

Impact:

If IMDSv1 is permitted, malicious or compromised applications can exploit SSRF to obtain sensitive instance metadata, such as IAM role credentials. This can result in privilege escalation, lateral movement, and unauthorized AWS resource access.

Default Value:

By default, EC2 instances launched without specifying metadata options allow both IMDSv1 and IMDSv2.

Pre-Requisites:

• AWS CLI installed and configured
  
  

• IAM permissions:
  
  

  • ec2:DescribeInstances
    
    

  • ec2:ModifyInstanceMetadataOptions
    
    

• Access to the AWS Management Console
  
  

• Identify regions and instances where configuration must be applied
  
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the AWS EC2 Console
   
   

2. Navigate to Instances
   
   

3. Select an instance
   
   

4. Check Metadata Options under Instance Details
   
   

5. Ensure:
   
   

   • Metadata version is set to IMDSv2 only
     
     

   • HTTP tokens are marked as required
     
     

Using AWS CLI:

aws ec2 describe-instances \
  --query "Reservations[].Instances[?MetadataOptions.HttpTokens!='required'].InstanceId" \
  --output table

This command lists instances not enforcing IMDSv2.

Implementation Plan:

Using AWS Console:

1. Go to the EC2 Dashboard
   
   

2. Select the instance
   
   

3. Choose Actions → Instance Settings → Modify instance metadata options
   
   

4. Set:
   

   • Instance metadata service: Enabled
     
     

   • Metadata version: IMDSv2 only (HTTP tokens required)
     
     

5. Click Save changes
   
   

Using AWS CLI:

aws ec2 modify-instance-metadata-options \
  --instance-id <instance-id> \
  --http-tokens required \
  --http-endpoint enabled \
  --region <region-name>

Repeat for all EC2 instances across your AWS regions.

Backout Plan:

If applications require IMDSv1 and fail after enforcement:

1. Temporarily re-enable IMDSv1:
   
   

aws ec2 modify-instance-metadata-options \
  --instance-id <instance-id> \
  --http-tokens optional \
  --region <region-name>

2. Identify and refactor application components dependent on IMDSv1
   
   

3. Reapply --http-tokens required after resolving dependencies
   
   

References:

• AWS Documentation: Instance Metadata Service
  
  

• AWS Security Blog: Preventing SSRF with IMDSv2
  
  

• AWS CLI Reference: modify-instance-metadata-options
  
  

CIS Controls Mapping: