The launch template associated with your Auto Scaling Group (ASG) should not have a metadata response hop limit greater than 1 to ensure that the secret token in the metadata response stays within the EC2 instance and does not leave the instance, thus preventing unauthorized access to sensitive metadata.
This rule can help you work with the AWS Well-Architected Framework.
The IMDS provides metadata for Amazon EC2 instances, aiding application configuration. Restricting HTTP PUT responses to the EC2 instance safeguards against unauthorized IMDS use. The TTL field in IP packets reduces on each hop, ensuring packets stay within EC2. IMDSv2 protects against misconfigured EC2 instances acting as open routers, firewalls, VPNs, or NAT devices, securing metadata from unauthorized access. The secret token in IMDSv2 PUT responses is contained within the instance, protected by a default hop limit of 1.
Audit
To determine if the metadata response hop limit is greater than 1 in the launch template configuration, perform the following actions:
Remediation / Resolution
To configure the metadata response hop limit for the launch templates associated with your Auto Scaling Groups (ASGs), perform the following actions:
References
- AWS Documentation
- Configure the instance metadata options
- Instance metadata and user data
- Launch templates
- Examples for creating and managing launch templates with the AWS Command Line Interface (AWS CLI)
- AWS Command Line Interface (CLI) Documentation
- describe-auto-scaling-groups
- describe-launch-template-versions
- create-launch-template-version
- update-auto-scaling-group