Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Require IMDSv2 for Compute Instances

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that all Oracle Cloud Infrastructure (OCI) compute instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS). IMDSv2 uses session-oriented requests. This allows you to create a session token that defines the session duration, which can be a minimum of 1 second and a maximum of 6 hours. During this duration, you can use the same session token for subsequent metadata requests. After this duration expires, you must create a new session token to use for future requests.

Security

Instance Metadata Service (IMDS) provides a convenient way to access metadata available for a running OCI compute instance such as hostname, network configuration, associated security lists, and so on. Application code can access this metadata from a running compute instance using one of two methods: Instance Metadata Service Version 1 (IMDSv1) or Instance Metadata Service Version 2 (IMDSv2). The OCI compute instances that allow IMDSv1 are exposed to Server Side Request Forgery (SSRF) attacks, which could allow a threat actor to manipulate the server side of a web application or an API to perform unauthorized actions. IMDSv2 uses session-oriented requests to mitigate several types of vulnerabilities that could be used to attempt to access the IMDS, protecting against malicious activities such as SSRF attacks.

Audit

To determine the version of the Instance Metadata Service (IMDS) configured for your OCI compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Instance information tab and check the Instance metadata service attribute value, listed under Instance details. If Instance metadata service is not set to Version 2 only, the Instance Metadata Service Version 1 (IMDSv1) is in use for the verified resource. Therefore, the IMDSv2-only configuration is not enforced for the selected OCI compute instance.

07 Repeat steps no. 5 and 6 for each compute instance deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the requested OCI compartment identifiers (IDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance get command (Windows/macOS/Linux) with the ID of the compute instance that you want to examine as the identifier parameter and custom output filters to determine if the selected instance is configured with Instance Metadata Service Version 1 (IMDSv1): 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."instance-options"."are-legacy-imds-endpoints-disabled"'

06 The command output should return the value of the "are-legacy-imds-endpoints-disabled" flag. "are-legacy-imds-endpoints-disabled" is true when the IMDSv1 endpoint configured for the instance is disabled and false when the IMDSv1 endpoint is enabled: 

false

If the compute instance get command output returns false, the Instance Metadata Service Version 1 (IMDSv1) is in use for the verified resource. As a result, the IMDSv2-only configuration is not enforced for the selected Oracle Cloud Infrastructure (OCI) compute instance.

07 Repeat steps no. 5 and 6 for each compute instance deployed in the selected OCI compartment.

08 Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To enforce IMDSv2 for your Oracle Cloud Infrastructure (OCI) compute instances, perform the following operations:

Once the use of IMDSv2 is enforced, applications or agents that use IMDSv1 for instance metadata access may lose connectivity.

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Instance information tab and choose Edit next to Instance metadata service attribute value to change the Instance Metadata Service (IMDS) version.

07 For Allowed IMDS version select Version 2 only, and choose Save Changes to apply the configuration changes. This will require that only IMDSv2 is used when requesting instance metadata for the selected OCI compute instance.

08 Repeat steps no. 5 - 7 for each compute instance provisioned in the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run compute instance update command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to configure as the identifier parameter, to enforce using the IMDSv2-only endpoint for your compute instance. This will require that only IMDSv2 is used when requesting instance metadata for the selected instance: 

oci compute instance update
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--instance-options '{"areLegacyImdsEndpointsDisabled" :"true"}'
	--query 'data."instance-options"."are-legacy-imds-endpoints-disabled"'

02 The command output should return the value of the "are-legacy-imds-endpoints-disabled" flag. "are-legacy-imds-endpoints-disabled" is true when the IMDSv1 endpoint configured for the instance is disabled (i.e., the instance is using an IMDSv2-only endpoint) and false when the IMDSv1 endpoint is enabled: 

true

03 Repeat steps no. 1 and 2 for each compute instance deployed to the selected OCI compartment.

04 Repeat steps no. 1 – 3 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Mar 6, 2025

Related Compute rules