
Control: 3.1 Ensure Compute Instance Legacy Metadata service endpoint is disabled


Compute Instances that utilize Legacy MetaData service endpoints (IMDSv1) are susceptible to potential SSRF attacks. To bolster security measures, it is strongly advised to reconfigure Compute Instances to adopt Instance Metadata Service v2, aligning with the industry's best security practices.

Enabling Instance Metadata Service v2 enhances security and grants precise control over metadata access. Transitioning from IMDSv1 reduces the risk of SSRF attacks, bolstering system protection.

IMDv1 poses security risks due to its inferior security measures and limited auditing capabilities. Transitioning to IMDv2 ensures a more secure environment with robust security features and improved monitoring capabilities.


From Console

  1. Login to OCI Console.
  2. Click on the search box at the top of the console and search for compute instance name.
  3. Click on the instance name, In the Instance Details section, next to Instance Metadata Service, click Edit.
  4. For the Instance metadata service, select the Version 2 only option.
  5. Click Save Changes.

Note: Disabling IMDSv1 on an incompatible instance may result in connectivity issues upon launch.

To re-enable IMDSv1, follow these steps:

  1. On the Instance Details page in the Console, click Edit next to Instance Metadata Service.
  2. Choose the Version 1 and version 2 option, and save your changes.

From CLI

Run Below Command,

oci compute instance update --instance-id [instance-ocid] --instance-options '{"areLegacyImdsEndpointsDisabled" :"true"}'

This will set Instance Metadata Service to use Version 2 Only.

Default Value

Versions 1 and 2


Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_3_1 --share


This control uses a named query:

i.id as resource,
when (instance_options -> 'areLegacyImdsEndpointsDisabled')::bool then 'ok'
else 'alarm'
end as status,
when (instance_options -> 'areLegacyImdsEndpointsDisabled')::bool then i.title || ' legacy metadata service endpoint disabled.'
else i.title || ' legacy metadata service endpoint enabled.'
end as reason
, i.region as region, i.tenant_name as tenant
, coalesce(c.name, 'root') as compartment
oci_core_instance as i
left join oci_identity_compartment as c on c.id = i.compartment_id;
