v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2.8 Ensure the Use of IMDSv2 is Enforced on All Existing Instances

Description

Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled on all running instances.

The IMDSv2 method uses session-based controls to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata. With IMDSv2, controls can be implemented to restrict changes to instance metadata.

Remediation

From the Console:

  1. At this time the instance metadata setting for existing instances can only be changed using AWS CLI.

From the CLI:

  1. Run the modify-instance-metadata-options command using the list of Instances collect in the audit
aws ec2 modify-instance-metadata-options --instance-id i-1234567abcdefghi0 --
http-tokens required --http-endpoint enabled
  1. The output should show the information for the instance and the metadata changes:
{
InstanceId": "i-1234567abcdefghi0",
"InstanceMetadataOptions": {
"State": "pending",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
}
}
  1. Repeat for the other instances and regions collected during the audit.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_8 --share

SQL

This control uses a named query:

ec2_instance_uses_imdsv2

Tags

category = Compliance
cis = true
cis_item_id = 2.8
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/EC2