Ensure IMDS Response Hop Limit is Set to One
The IMDS (Instance Metadata Service) provides instance metadata to EC2 instances. When the IMDS hop limit is more than one, the PUT response that contains the secret token can travel outside the EC2 instance. Ensure that it's set to one for increased security.
Risk Level: Low
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.NET.97
Covered by Spectral: No
Category: Compute
GSL LOGIC
Instance where metadataOptions.httpEndpoint = 'enabled' should not have metadataOptions.httpPutResponseHopLimit > 1
REMEDIATION
From Portal
- Log into the AWS Management Console.
- Navigate to EC2 Dashboard.
- Select the specific EC2 instance.
- Under 'Instance Settings', locate 'Metadata Options'.
- Set 'HTTP Put Response Hop Limit' to '1' and Save changes.
From TF
resource "aws_instance" "example" {
metadata_options {
http_endpoint = "enabled"
http_put_response_hop_limit = 1
}
}
From Command Line
- Use the AWS CLI to modify the instance metadata options:
aws ec2 modify-instance-metadata-options --instance-id [INSTANCE_ID] --http-put-response-hop-limit 1 --http-endpoint enabled
References
Amazon EC2 Instance
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Compliance Frameworks
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago