EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)

ec2
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

This control checks whether an Amazon EC2 launch template has all versions configured with Instance Metadata Service Version 2 (IMDSv2). The control fails if any version does not have HttpTokens set to required. Datadog recommends deleting any unused launch template versions, as they can be accidentally assigned to new infrastructure components at any time.

Remediation

  1. Identify problematic versions: Review all versions of the launch template to identify which ones have IMDSv1 configuration or missing metadata options.

  2. Validate version usage: Check if any problematic versions are currently in use by Auto Scaling Groups, EC2 instances, or other services before taking action.

  3. Choose remediation approach:

    • Update existing versions: Modify problematic versions to use IMDSv2 by setting HttpTokens to required
    • Delete unused versions: Remove versions that are not in use and have security issues
    • Create new version: Create a new version with proper IMDSv2 configuration and update references

To configure IMDSv2 on launch template versions, see Configure the Instance Metadata Service options in the Amazon EC2 User Guide.