Control: 5.6 Ensure that EC2 Metadata Service only allows IMDSv2
Description
When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).
Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.
Remediation
From Console:
- Log in to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/.
- Under the Instances menu, select Instances.
- For each Instance, select the instance, then choose Actions > Modify instance metadata options.
- If the Instance metadata service is enabled, set IMDSv2 to Required.
From Command Line:
aws ec2 modify-instance-metadata-options --instance-id <instance_id> --http- tokens required
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v200_5_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v200_5_6 --share
SQL
This control uses a named query:
select arn as resource, case when metadata_options ->> 'HttpTokens' = 'optional' then 'alarm' else 'ok' end as status, case when metadata_options ->> 'HttpTokens' = 'optional' then title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' else title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' end as reason , region, account_idfrom aws_ec2_instance;