<  Back to rules search

EC2 instance uses IMDSv2

ec2
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Use the IMDSv2 session-oriented communication method to transport instance metadata.

Rationale

AWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.

Remediation

Follow the Transition to using Instance Metadata Service Version 2 docs to learn how to transition and reconfigure your software.