Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1364Benchmarks
591Queries
5Variables
GitHub

Control: EC2 instances should use IMDSv2

Description

Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of AWS Elastic Compute Cloud (AWS EC2) instance metadata.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.ec2_instance_uses_imdsv2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.ec2_instance_uses_imdsv2 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when metadata_options ->> 'HttpTokens' = 'required' and metadata_options ->> 'State' = 'applied' then 'ok'
    else 'alarm'
  end as status,
  case
    when metadata_options ->> 'HttpTokens' = 'required' and metadata_options ->> 'State' = 'applied' then title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).'
    else title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).'
  end as reason
  
  , region, account_id
from
  aws_ec2_instance;

Tags

category = Compliance
cis_controls_v8_ig1 = true
fedramp_low_rev_4 = true
fedramp_moderate_rev_4 = true
gxp_21_cfr_part_11 = true
hipaa_final_omnibus_security_rule_2013 = true
nist_800_53_rev_4 = true
nist_800_53_rev_5 = true
nist_csf = true
nydfs_23 = true
pci_dss_v40 = true
plugin = aws
service = AWS/EC2