Ensure IMDSv1 is disabled for AWS EC2 instances in AWS Launch Configuration

HIGH

Description

AWS Launch Configuration that have IMDSv1 enabled makes the end instances vulnerable to server side request forgery (SSRF) attacks.

Remediation

In AWS Console -

When launching a new instance in the Amazon EC2 console, select the following options on the Configure Instance Details page:
a. Under Advanced Details, for Metadata accessible, select Enabled.
b. For Metadata version, select V2.

In Terraform -

In the aws_launch_configuration resource, set the metadata_options.http_endpoint field to disabled.
Set the metadata_options.http_tokens field to required.

References:
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/configuring-instance-metadata-service.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration

Policy Details

Rule Reference ID: AC_AWS_0456

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_launch_configuration

Resource Category: Compute

Resource Type: Elastic Cloud Compute (EC2)

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA