Control: 3.1 Ensure Compute Instance Legacy Metadata service endpoint is disabled

Description

Compute Instances that utilize Legacy MetaData service endpoints (IMDSv1) are susceptible to potential SSRF attacks. To bolster security measures, it is strongly advised to reconfigure Compute Instances to adopt Instance Metadata Service v2, aligning with the industry's best security practices.

Enabling Instance Metadata Service v2 enhances security and grants precise control over metadata access. Transitioning from IMDSv1 reduces the risk of SSRF attacks, bolstering system protection.

IMDv1 poses security risks due to its inferior security measures and limited auditing capabilities. Transitioning to IMDv2 ensures a more secure environment with robust security features and improved monitoring capabilities.

Remediation

From Console

1. Login to OCI Console.
2. Click on the search box at the top of the console and search for compute instance name.
3. Click on the instance name, In the Instance Details section, next to Instance Metadata Service, click Edit.
4. For the Instance metadata service, select the Version 2 only option.
5. Click Save Changes.

Note: Disabling IMDSv1 on an incompatible instance may result in connectivity issues upon launch.

To re-enable IMDSv1, follow these steps:

1. On the Instance Details page in the Console, click Edit next to Instance Metadata Service.
2. Choose the Version 1 and version 2 option, and save your changes.

From CLI

Run Below Command,

oci compute instance update --instance-id [instance-ocid] --instance-options '{"areLegacyImdsEndpointsDisabled" :"true"}'

This will set Instance Metadata Service to use Version 2 Only.

Default Value

Versions 1 and 2