turbot/aws_compliance

Control: 3 Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)

Description

This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled.

IMDS provides data about your instance that you can use to configure or manage the running instance.

Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances.

Remediation

An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see Configure instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_autoscaling_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_autoscaling_3 --share

SQL

This control uses a named query:

autoscaling_launch_config_requires_imdsv2

Tags