Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS). IMDSv2 uses session-oriented requests. This allows you to create a session token that defines the session duration, which can be a minimum of 1 second and a maximum of 6 hours. During this duration, you can use the same session token for subsequent metadata requests. After this duration expires, you must create a new session token to use for future requests.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Instance Metadata Service (IMDS) provides a convenient way to access metadata available for a running Amazon EC2 instance such as hostname, network configuration, associated security groups, and so on. The service runs on a link-local IP address and is unique to every single EC2 instance. IMDS solves an important security problem for AWS cloud users by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to EC2 instances. Application code can access instance metadata from a running Amazon EC2 instance using one of two methods: Instance Metadata Service Version 1 (IMDSv1) or Instance Metadata Service Version 2 (IMDSv2). The EC2 instances that allow IMDSv1 are exposed to Server Side Request Forgery (SSRF) attacks, which could allow theft of IAM roles. IMDSv2 uses session-oriented requests to mitigate several types of vulnerabilities that could be used to attempt to access the IMDS, protecting against malicious activities such as SSRF attacks.
Audit
To determine the version of the Instance Metadata Service (IMDS) configured for your Amazon EC2 instances, perform the following operations:
Note: Getting the IMDS version configured for Amazon EC2 instances using the AWS Management Console is not currently supported.Remediation / Resolution
To enforce IMDSv2 for your existing Amazon EC2 instances, perform the following operations:
Note 1: To enforce the IMDS version 2 for existing EC2 instances using the AWS Management Console is not currently supported.Note 2: Once the use of IMDSv2 is enforced, applications or agents that use IMDSv1 for instance metadata access will break. For IMDSv2-based requests, you must include a session token in all instance metadata requests.
References
- AWS Documentation
- Instance metadata and user data
- Use IMDSv2
- Configure the instance metadata options
- Configuring the instance metadata service on your environment's instances
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-instances
- modify-instance-metadata-options