Require IMDSv2 For EC2 Instances
More Info:
Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS). IMDSv2 uses session-oriented requests. This allows you to create a session token that defines the session duration, which can be a minimum of 1 second and a maximum of 6 hours. During this duration, you can use the same session token for subsequent metadata requests. After this duration expires, you must create a new session token to use for future requests.Risk Level
MediumAddress
SecurityCompliance Standards
CBP, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using the AWS console, follow these steps:
- Log in to the AWS Management Console.
- Navigate to the EC2 dashboard.
- Select the EC2 instance that needs to be remediated.
- Click on the “Actions” button and select “Instance Settings” and then click on “Modify instance metadata options”.
- In the “Modify instance metadata options” dialog box, select “Required” for “IMDSv2” option and click “Save”.
- Verify the configuration by following the same steps above.
Using CLI
Using CLI
The Instance Metadata Service (IMDS) is a service provided by Amazon Web Services (AWS) that allows EC2 instances to retrieve metadata about themselves and their environment. IMDSv2 is a newer version of the service that provides additional security features.To remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using AWS CLI, follow these steps:This command uses the This command uses the This command should return the security credentials associated with the instance’s IAM role, indicating that IMDSv2 is enabled.By following these steps, you can remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using AWS CLI.
- Open the AWS CLI on your local machine or EC2 instance with appropriate IAM permissions.
- Run the following command to enable IMDSv2 on all running EC2 instances in the current region:
modify-instance-metadata-options API to enable IMDSv2 on the current EC2 instance by passing --http-endpoint enabled and --http-tokens required parameters.- To enable IMDSv2 on all new EC2 instances launched in the current region, run the following command:
modify-instance-metadata-options API to enable IMDSv2 on all new EC2 instances launched in the current region by passing --http-endpoint enabled and --http-tokens required parameters.- Verify that the IMDSv2 is enabled on the EC2 instance by running the following command:
Using Python
Using Python
The Instance Metadata Service (IMDS) is a service provided by AWS that allows EC2 instances to retrieve information about themselves and their environment. IMDSv1 is the default version of the service, but it has some security vulnerabilities that can be exploited by attackers. IMDSv2 is a more secure version of the service that addresses these vulnerabilities.To remediate the “Require IMDSv2 For EC2 Instances” misconfiguration in AWS using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) using pip:
- Create a new Python script and import the necessary libraries:
- Create a new session and EC2 client:
- Get a list of all EC2 instances in your account:
- For each instance, check if IMDSv2 is already enabled:
- If IMDSv2 is not enabled, update the instance attribute to enable it:
- Save and run the Python script to remediate the misconfiguration.