Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Metadata Response Hop Limit

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

The launch template associated with your Auto Scaling Group (ASG) should not have a metadata response hop limit greater than 1 to ensure that the secret token in the metadata response stays within the EC2 instance and does not leave the instance, thus preventing unauthorized access to sensitive metadata.

This rule can help you work with the AWS Well-Architected Framework.

Security

The IMDS provides metadata for Amazon EC2 instances, aiding application configuration. Restricting HTTP PUT responses to the EC2 instance safeguards against unauthorized IMDS use. The TTL field in IP packets reduces on each hop, ensuring packets stay within EC2. IMDSv2 protects against misconfigured EC2 instances acting as open routers, firewalls, VPNs, or NAT devices, securing metadata from unauthorized access. The secret token in IMDSv2 PUT responses is contained within the instance, protected by a default hop limit of 1.


Audit

To determine if the metadata response hop limit is greater than 1 in the launch template configuration, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Launch template section, choose View details in the launch template console, and select the launch template associated with your Auto Scaling Group.

07 Choose the Details tab and select the Advanced details tab to view the advanced configuration information available for the launch template.

08 Check the Token hop limit attribute value to determine the metadata response hop limit configured for the EC2 instances running within the Auto Scaling Group. If the metadata response hop limit is greater than 1, the associated launch template is not configured to protect against unauthorized access to sensitive metadata.

09 Repeat steps no. 4 – 8 for each Auto Scaling Group available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  cc-web-production-asg  |
|  cc-internal-app-asg    |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the launch template (and the template version) associated with the Auto Scaling group (ASG) that you want to examine:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-web-production-asg
  --query 'AutoScalingGroups[*].LaunchTemplate'

04 The command output should return the requested ASG information:

[
	{
		"LaunchTemplateName": "cc-asg-launch-template",
		"Version": "2",
		"LaunchTemplateId": "lt-0abcd1234abcd1234"
	}
]

05 Run describe-launch-template-versions command (OSX/Linux/UNIX) to describe the metadata response hop limit configured for the EC2 instances running within the associated Auto Scaling Group:

aws ec2 describe-launch-template-versions
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --versions 2
  --query 'LaunchTemplateVersions[*].LaunchTemplateData[].MetadataOptions[].HttpPutResponseHopLimit'

06 The command output should return the metadata response hop limit or an empty array if the launch template uses the default value (i.e. 1):

[
	2
]

If the describe-launch-template-versions command output returns a value greater than 1, as shown in the output example above, the metadata response hop limit is greater than 1, therefore the associated launch template is not configured to protect against unauthorized access to sensitive metadata.

07 Repeat steps no. 3 – 6 for each Auto Scaling Group available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To configure the metadata response hop limit for the launch templates associated with your Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to configure.

05 Choose the Details tab to access the ASG resource configuration details.

06 In the Launch template section, choose Edit to modify the launch template configuration.

07 Under Version, choose Create a launch template version to create a new launch template version from the existing version.

08 Choose Advanced details and type 1 in the Metadata response hop limit box, to set the metadata response hop limit to 1.

09 Choose Create template version to save the new launch template version.

10 Navigate back to your Auto Scaling Group configuration page, use the Refresh button next to the Version dropdown list to load the new template version, and choose the launch template version created at the previous step. Choose Update to apply the configuration changes.

11 Repeat steps no. 4 – 10 for each ASG that you want to reconfigure, available within the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-launch-template-version command (OSX/Linux/UNIX) using the ID of the ASG launch template that you want to reconfigure as the identifier parameter, to create a new version for the selected launch template. The --source-version parameter value represents the version number of the launch template on which to base the new version. The new version inherits the same launch parameters as the source version, except for parameters that you specify for --launch-template-data. To configure the metadata response hop limit, set the "HttpPutResponseHopLimit" parameter to 1:

aws ec2 create-launch-template-version
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --source-version 2
  --launch-template-data '{"MetadataOptions":{"HttpPutResponseHopLimit":1}}'

02 The command output should return the information available for the new launch template version:

{
	"LaunchTemplateVersion": {
		"LaunchTemplateId": "lt-0abcd1234abcd1234",
		"LaunchTemplateName": "cc-asg-launch-template",
		"VersionNumber": 3,
		"CreateTime": "2023-08-01T16:55:40+00:00",
		"CreatedBy": "arn:aws:sts::123456789012:assumed-role/ec2-manager/i-0abcd1234abcd1234",
		"DefaultVersion": false,
		"LaunchTemplateData": {
			"NetworkInterfaces": [
				{
					"DeviceIndex": 0
				}
			],
			"ImageId": "ami-0abcd1234abcd1234",
			"InstanceType": "t3.large",
			"MetadataOptions": {
				"HttpPutResponseHopLimit": 1
			}
		}
	}
}

03 Run update-auto-scaling-group command (OSX/Linux/UNIX) to apply the new launch template configuration to your Auto Scaling Group (ASG) in order to set the metadata response hop limit to 1 (the command does not produce an output): IMPORTANT: The following reconfiguration process can impact application availability. Ensure that the selected Auto Scaling Group is NOT currently used in production or for critical operations.

aws autoscaling update-auto-scaling-group
  --region us-east-1
  --auto-scaling-group-name cc-web-production-asg
  --launch-template LaunchTemplateId=lt-0abcd1234abcd1234,Version=3

04 Repeat steps no. 1 – 3 for each ASG that you want to reconfigure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Aug 31, 2023