v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5.6 Ensure that EC2 Metadata Service only allows IMDSv2

Description

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.

Remediation

From Console:

  1. Log in to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/.
  2. Under the Instances menu, select Instances.
  3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.
  4. If the Instance metadata service is enabled, set IMDSv2 to Required.

From Command Line:

aws ec2 modify-instance-metadata-options --instance-id <instance_id> --http- tokens required

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v200_5_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v200_5_6 --share

SQL

This control uses a named query:

ec2_instance_uses_imdsv2

Tags

category = Compliance
cis = true
cis_item_id = 5.6
cis_level = 1
cis_section_id = 5
cis_type = automated
cis_version = v2.0.0
plugin = aws
service = AWS/EC2