Control: 2.8 Ensure the Use of IMDSv2 is Enforced on All Existing Instances
Description
Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled on all running instances.
The IMDSv2 method uses session-based controls to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata. With IMDSv2, controls can be implemented to restrict changes to instance metadata.
Remediation
From the Console:
- At this time the instance metadata setting for existing instances can only be changed using AWS CLI.
From the CLI:
- Run the modify-instance-metadata-options command using the list of Instances collect in the audit
aws ec2 modify-instance-metadata-options --instance-id i-1234567abcdefghi0 --http-tokens required --http-endpoint enabled
- The output should show the information for the instance and the metadata changes:
{InstanceId": "i-1234567abcdefghi0","InstanceMetadataOptions": {"State": "pending","HttpTokens": "required","HttpPutResponseHopLimit": 1,"HttpEndpoint": "enabled"}}
- Repeat for the other instances and regions collected during the audit.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_8 --shareSQL
This control uses a named query:
select arn as resource, case when metadata_options ->> 'HttpTokens' = 'optional' then 'alarm' else 'ok' end as status, case when metadata_options ->> 'HttpTokens' = 'optional' then title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' else title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' end as reason , region, account_idfrom aws_ec2_instance;