EC2 instances and autoscaling groups should enforce IMDSv2

Description

Use the IMDSv2 session-oriented communication method to transport instance metadata.

For more information, please refer to our in-depth explanation of what IMDSv2 is and why it matters.

AWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation. This check will determine if the EC2 instance is attached to an Auto Scaling Group (ASG) and if that ASG sets IMDSv2 to the required settings via a launch configuration or template. If the instance is not part of an ASG that sets these parameters, it will check the EC2 instance’s standalone IMDSv2 settings to verify http_token is set to required and state is applied.

Remediation

Follow the Transition to using Instance Metadata Service Version 2 docs to learn how to transition and reconfigure your software.