Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Require IMDSv2 for EC2 Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-077

Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS). IMDSv2 uses session-oriented requests. This allows you to create a session token that defines the session duration, which can be a minimum of 1 second and a maximum of 6 hours. During this duration, you can use the same session token for subsequent metadata requests. After this duration expires, you must create a new session token to use for future requests.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Instance Metadata Service (IMDS) provides a convenient way to access metadata available for a running Amazon EC2 instance such as hostname, network configuration, associated security groups, and so on. The service runs on a link-local IP address and is unique to every single EC2 instance. IMDS solves an important security problem for AWS cloud users by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to EC2 instances. Application code can access instance metadata from a running Amazon EC2 instance using one of two methods: Instance Metadata Service Version 1 (IMDSv1) or Instance Metadata Service Version 2 (IMDSv2). The EC2 instances that allow IMDSv1 are exposed to Server Side Request Forgery (SSRF) attacks, which could allow theft of IAM roles. IMDSv2 uses session-oriented requests to mitigate several types of vulnerabilities that could be used to attempt to access the IMDS, protecting against malicious activities such as SSRF attacks.


Audit

To determine the version of the Instance Metadata Service (IMDS) configured for your Amazon EC2 instances, perform the following operations:

Note: Getting the IMDS version configured for Amazon EC2 instances using the AWS Management Console is not currently supported.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon EC2 instance provisioned within the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcd1234abcd1234  |
|  i-0abcdabcdabcdabcd  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to determine the Instance Metadata Service (IMDS) version configured for the selected EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[*].MetadataOptions.HttpTokens[]'

04 The command output should return the requested configuration information:

[
	"optional"
]

If the describe-instances command output returns "optional" (instead of "required"), as shown in the output example above, the Instance Metadata Service Version 1 (IMDSv1) is in use for the verified instance, therefore the IMDSv2-only configuration is not enforced for the selected Amazon EC2 instance.

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance launched within the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enforce IMDSv2 for your existing Amazon EC2 instances, perform the following operations:

Note 1: To enforce the IMDS version 2 for existing EC2 instances using the AWS Management Console is not currently supported.

Note 2: Once the use of IMDSv2 is enforced, applications or agents that use IMDSv1 for instance metadata access will break. For IMDSv2-based requests, you must include a session token in all instance metadata requests.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"SSHKeyName": {
			"Type": "AWS::EC2::KeyPair::KeyName",
			"Description": "Instance SSH key"
		},
		"SecurityGroupId": {
			"Type": "AWS::EC2::SecurityGroup::Id",
			"Description": "Security group ID"
		}
	},
	"Resources": {
		"EC2Instance": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": "ami-0123456789abcdefa",
				"InstanceType": "c5.xlarge",
				"KeyName": {
					"Ref": "SSHKeyName"
				},
				"SubnetId": "subnet-0123456789abcdef0",
				"SecurityGroupIds": [
					{
						"Ref": "SecurityGroupId"
					}
				],
				"BlockDeviceMappings": [
					{
						"DeviceName": "/dev/xvda",
						"Ebs": {
							"VolumeSize": "30",
							"VolumeType": "gp2"
						}
					}
				],
				"MetadataOptions": {
					"HttpEndpoint": "enabled",
					"HttpPutResponseHopLimit": 2,
					"HttpTokens": "required"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	SSHKeyName:
		Type: AWS::EC2::KeyPair::KeyName
		Description: Instance SSH key
	SecurityGroupId:
		Type: AWS::EC2::SecurityGroup::Id
		Description: Security group ID
	Resources:
	EC2Instance:
		Type: AWS::EC2::Instance
		Properties:
		ImageId: ami-0123456789abcdefa
		InstanceType: c5.xlarge
		KeyName: !Ref 'SSHKeyName'
		SubnetId: subnet-0123456789abcdef0
		SecurityGroupIds:
			- !Ref 'SecurityGroupId'
		BlockDeviceMappings:
			- DeviceName: /dev/xvda
			Ebs:
				VolumeSize: '30'
				VolumeType: gp2
		MetadataOptions:
			HttpEndpoint: enabled
			HttpPutResponseHopLimit: 2
			HttpTokens: required

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_instance" "ec2-instance" {
	ami = "ami-0123456789abcdefa"
	instance_type = "c5.xlarge"
	key_name = "ssh-key"
	subnet_id = "subnet-0123456789abcdef0"
	vpc_security_group_ids = [ "sg-0123456789abcdefa" ]

	ebs_block_device {
		device_name = "/dev/xvda"
		volume_size = 30
		volume_type = "gp2"
	}

	metadata_options {
	http_endpoint = "enabled"
	http_put_response_hop_limit = 2
	http_tokens = "required"
	}

}

Using AWS CLI

01 Run modify-instance-metadata-options command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to reconfigure as the identifier parameter, to require that only IMDSv2 is used when requesting instance metadata for the selected EC2 instance. When you specify a value for the --http-tokens parameter, you must also set --http-endpoint to enabled:

aws ec2 modify-instance-metadata-options
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --http-tokens required
  --http-endpoint enabled

02 The command output should return the new metadata options available for the reconfigured EC2 instance:

{
	"InstanceId": "i-01234abcd1234abcd",
	"InstanceMetadataOptions": {
		"State": "pending",
		"HttpTokens": "required",
		"HttpPutResponseHopLimit": 1,
		"HttpEndpoint": "enabled",
		"HttpProtocolIpv6": "disabled",
		"InstanceMetadataTags": "disabled"
	}
}

03 (Optional) Run modify-instance-metadata-options command (OSX/Linux/UNIX) to set the desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. For the following command request example, the hop limit is set to 3:

aws ec2 modify-instance-metadata-options
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --http-put-response-hop-limit 3
  --http-endpoint enabled

04 The command output should return the new metadata options available for the reconfigured instance:

{
	"InstanceId": "i-01234abcd1234abcd",
	"InstanceMetadataOptions": {
		"State": "pending",
		"HttpTokens": "required",
		"HttpPutResponseHopLimit": 3,
		"HttpEndpoint": "enabled",
		"HttpProtocolIpv6": "disabled",
		"InstanceMetadataTags": "disabled"
	}
}

If the value for “HttpTokens” is equal to “required”, the EC2 instance is now supported by IMDSv2.

05 Repeat steps no. 1 and 2 to enforce IMDSv2 for each Amazon EC2 instance available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Remediation process for other regions.

References

Publication date Feb 24, 2022