AWS EC2 with IMDSv1 Enabled

Description:

The Instance Metadata Service (IMDS) provides AWS EC2 instances with data about themselves. Version 1 (IMDSv1) of this service has known vulnerabilities. Specifically, IMDSv1 does not require any session authentication, which makes it susceptible to Server Side Request Forgery (SSRF) attacks. Using IMDSv2, which requires session authentication, mitigates these vulnerabilities.

Remediation:

1. Enable IMDSv2 on EC2 Instances:

IMDSv2 requires session authentication, making it more secure than IMDSv1.

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • Select the instance you want to modify.
  • Click on Actions > Instance Settings > Edit Metadata.
  • Set Metadata Version to "V2" and require tokens.
AWS CLI:

Modify the EC2 instance attribute to enable IMDSv2:

aws ec2 modify-instance-metadata-options --instance-id [INSTANCE_ID] --http-endpoint enabled --http-tokens required
Terraform:

When launching or modifying EC2 instances with Terraform, ensure they are configured with IMDSv2 enabled:

resource "aws_instance" "example" {
  # ... other configurations ...

  metadata_options {
    http_endpoint = "enabled"
    http_tokens   = "required"
  }
}

Recommendation:

Always use IMDSv2 for EC2 instances to prevent potential SSRF attacks. It's a security best practice to disable IMDSv1 and transition to IMDSv2. Regularly review and update instance configurations to ensure adherence to security best practices.

Updated 5 months ago