v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2

Description

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, such as host name, events, and security groups.

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally stored EC2 instance metadata and credentials.

Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.

Remediation

From Console:

  1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at (https://console.aws.amazon.com/ec2/)[https://console.aws.amazon.com/ec2/].
  2. In the left navigation panel, under the INSTANCES section, choose Instances.
  3. Select the EC2 instance that you want to examine.
  4. Choose Actions > Instance Settings > Modify instance metadata options.
  5. Set Instance metadata service to Enable.
  6. Set IMDSv2 to Required.
  7. Repeat steps 1-6 to perform the remediation process for other EC2 instances in all applicable AWS region(s).

From Command Line:

  1. Run the describe-instances command, applying the appropriate filters to list the IDs of all existing EC2 instances currently available in the selected region:
aws ec2 describe-instances --region <region-name> --output table --query "Reservations[*].Instances[*].InstanceId"
  1. The command output should return a table with the requested instance IDs.
  2. Run the modify-instance-metadata-options command with an instance ID obtained from the previous step to update the Instance Metadata Version:
aws ec2 modify-instance-metadata-options --instance-id <instance-id> -- http-tokens required --region <region-name>
  1. Repeat steps 1-3 to perform the remediation process for other EC2 instances in the same AWS region.
  2. Change the region by updating --region and repeat the process for other regions.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v400_5_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v400_5_7 --share

SQL

This control uses a named query:

ec2_instance_uses_imdsv2

Tags

category = Compliance
cis = true
cis_item_id = 5.7
cis_level = 1
cis_section_id = 5
cis_type = automated
cis_version = v4.0.0
plugin = aws
service = AWS/EC2