Ensure that EC2 Metadata Service only allows IMDSv2

Using the Instance Metadata Service Version 2 (IMDSv2) provides additional protection against server-side request forgery (SSRF) attacks.

Risk Level: Medium
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.NET.90
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

Instance where metadataOptions.httpEndpoint='enabled' should have metadataOptions.httpTokens='required'

REMEDIATION

Note: Modification of the metadata options is not yet available via AWS Console.

From TF
To set the instance metadata 'http-tokens' to 'required', update the 'metadata_options' block:

resource "aws_instance" "instance_example" {
	..
	metadata_options {
		..
		http_tokens = "required"
		..
	}
	..
}

From Command Line
To set the instance metadata 'http-tokens' to 'required', run:

aws ec2 modify-instance-metadata-options --instance-id INSTANCE-ID --http-tokens required

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-instance-metadata-options.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CIS Foundations v. 2.0.0
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset