Public AWS EC2 with IMDSv1 Enabled

Description:

The Instance Metadata Service (IMDS) provides Amazon EC2 instances with metadata about the instance and allows applications on the instance to securely access AWS service credentials. IMDSv1, the first version of this service, doesn't require any tokens for requests and is therefore more susceptible to certain types of vulnerabilities like server-side request forgery (SSRF). When running on publicly accessible EC2 instances, this could expose sensitive information to potential attackers.

Remediation:

1. Upgrade to IMDSv2:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • Select the instance in question.
  • Under the Actions dropdown, choose Instance Settings.
  • Click Edit Metadata.
  • For Metadata version, set it to V2.
AWS CLI:

To modify the metadata options for the specified EC2 instance:

aws ec2 modify-instance-metadata-options --instance-id [INSTANCE_ID] --http-tokens required
Terraform:

Make sure your Terraform configuration for the EC2 instance specifies the use of IMDSv2:

resource "aws_instance" "example" {
  # ... other configuration ...

  metadata_options {
    http_tokens = "required"
  }
}

Recommendation:

It's crucial to migrate to IMDSv2 for all EC2 instances, especially those that are publicly accessible. IMDSv2 requires a session-based token to retrieve instance metadata, reducing the risk of SSRF attacks. Alongside this, continuously monitor and review AWS security advisories and ensure that your infrastructure adheres to best practices to prevent any potential vulnerabilities.

Updated 5 months ago