Control: 3 Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)
Description
This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled.
IMDS provides data about your instance that you can use to configure or manage the running instance.
Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances.
Remediation
An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see Configure instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_autoscaling_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_autoscaling_3 --share
SQL
This control uses a named query:
autoscaling_launch_config_requires_imdsv2