EC2 instances should enforce IMDSv2

ec2
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Use the IMDSv2 session-oriented communication method to transport instance metadata.

For more information, you can also refer to our in-depth explanation of what IMDSv2 is and why it matters.

Rationale

AWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.

Remediation

Follow the Transition to using Instance Metadata Service Version 2 docs to learn how to transition and reconfigure your software.