Detections
Analytics

5.7 Ensure that the EC2 Metadata Service only allows IMDSv2

Information

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into

categories

, such as host name, events, and security groups.

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally stored EC2 instance metadata and credentials.

Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.

Solution

From Console:

 - Sign in to the AWS Management Console and navigate to the EC2 dashboard at

https://console.aws.amazon.com/ec2/

.
 - In the left navigation panel, under the INSTANCES section, choose Instances
 - Select the EC2 instance that you want to examine.
 - Choose Actions > Instance Settings > Modify instance metadata options
 - Set Instance metadata service to Enable
 - Set IMDSv2 to Required
 - Repeat steps 1-6 to perform the remediation process for other EC2 instances in all applicable AWS region(s).

From Command Line:

 -

Run the describe-instances command, applying the appropriate filters to list the IDs of all existing EC2 instances currently available in the selected region:

aws ec2 describe-instances --region <region-name> --output table --query "Reservations[*].Instances[*].InstanceId"
 -

The command output should return a table with the requested instance IDs.

 -

Run the modify-instance-metadata-options command with an instance ID obtained from the previous step to update the Instance Metadata Version:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required --region <region-name>
 -

Repeat steps 1-3 to perform the remediation process for other EC2 instances in the same AWS region.

 -

Change the region by updating --region and repeat the process for other regions.

See Also

https://workbench.cisecurity.org/benchmarks/20495

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5.2

Plugin: amazon_aws

Control ID: ea696f3b06dca1ebe9a986911232fb3281dca8d62eb59b0d3850d7f17c4a8b70