Triage and Remediation
Remediation
Using Console
Using Console
To remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using the AWS console, follow these steps:
- Log in to the AWS Management Console.
- Navigate to the EC2 dashboard.
- Select the EC2 instance that needs to be remediated.
- Click on the “Actions” button and select “Instance Settings” and then click on “Modify IAM Role”.
- In the “Modify IAM Role” dialog box, select “Require IMDSv2” and click “Save”.
- Verify the configuration by checking the “IMDSv2” column in the EC2 instances view. It should show “Enabled”.
Using CLI
Using CLI
The Instance Metadata Service (IMDS) is a service provided by Amazon Web Services (AWS) that allows EC2 instances to retrieve metadata about themselves and their environment. IMDSv2 is a newer version of the service that provides additional security features.To remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using AWS CLI, follow these steps:This command uses the This command uses the This command should return the security credentials associated with the instance’s IAM role, indicating that IMDSv2 is enabled.By following these steps, you can remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using AWS CLI.
- Open the AWS CLI on your local machine or EC2 instance with appropriate IAM permissions.
- Run the following command to enable IMDSv2 on all running EC2 instances in the current region:
modify-instance-metadata-options API to enable IMDSv2 on the current EC2 instance by passing --http-endpoint enabled and --http-put-response-hop-limit 1 parameters.- To enable IMDSv2 on all new EC2 instances launched in the current region, run the following command:
modify-instance-metadata-options API to enable IMDSv2 on all new EC2 instances launched in the current region by passing --http-endpoint enabled and --http-put-response-hop-limit 1 parameters.- Verify that the IMDSv2 is enabled on the EC2 instance by running the following command:
Using Python
Using Python
The Instance Metadata Service (IMDS) is a service provided by AWS that allows EC2 instances to retrieve information about themselves and their environment. IMDSv1 is the default version of the service, but it has some security vulnerabilities that can be exploited by attackers. IMDSv2 is a more secure version of the service that addresses these vulnerabilities.To remediate the “Require IMDSv2 For EC2 Instances” misconfiguration in AWS using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) using pip:
- Create a new Python script and import the necessary libraries:
- Create a new session and EC2 client:
- Get a list of all EC2 instances in your account:
- For each instance, check if IMDSv2 is already enabled:
- If IMDSv2 is not enabled, update the instance attribute to enable it:
- Save and run the Python script to remediate the misconfiguration.