Require IMDSv2 For EC2 Instances

​

More Info:

Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS). IMDSv2 uses session-oriented requests. This allows you to create a session token that defines the session duration, which can be a minimum of 1 second and a maximum of 6 hours. During this duration, you can use the same session token for subsequent metadata requests. After this duration expires, you must create a new session token to use for future requests.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

CBP, NISTCSF

​

Remediation

​

Using Console

To remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using the AWS console, follow these steps:

1. Log in to the AWS Management Console.
2. Navigate to the EC2 dashboard.
3. Select the EC2 instance that needs to be remediated.
4. Click on the “Actions” button and select “Instance Settings” and then click on “Modify IAM Role”.
5. In the “Modify IAM Role” dialog box, select “Require IMDSv2” and click “Save”.
6. Verify the configuration by checking the “IMDSv2” column in the EC2 instances view. It should show “Enabled”.

By following these steps, you have successfully remediated the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using the AWS console.

​

Using CLI

The Instance Metadata Service (IMDS) is a service provided by Amazon Web Services (AWS) that allows EC2 instances to retrieve metadata about themselves and their environment. IMDSv2 is a newer version of the service that provides additional security features.

To remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using AWS CLI, follow these steps:

1. Open the AWS CLI on your local machine or EC2 instance with appropriate IAM permissions.
2. Run the following command to enable IMDSv2 on all running EC2 instances in the current region:

aws ec2 modify-instance-metadata-options --instance-id $(curl -s http://169.254.169.254/latest/meta-data/instance-id) --http-put-response-hop-limit 1 --http-endpoint enabled

This command uses the modify-instance-metadata-options API to enable IMDSv2 on the current EC2 instance by passing --http-endpoint enabled and --http-put-response-hop-limit 1 parameters.

3. To enable IMDSv2 on all new EC2 instances launched in the current region, run the following command:

aws ec2 modify-instance-metadata-options --http-put-response-hop-limit 1 --http-endpoint enabled

This command uses the modify-instance-metadata-options API to enable IMDSv2 on all new EC2 instances launched in the current region by passing --http-endpoint enabled and --http-put-response-hop-limit 1 parameters.

4. Verify that the IMDSv2 is enabled on the EC2 instance by running the following command:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

This command should return the security credentials associated with the instance’s IAM role, indicating that IMDSv2 is enabled.

By following these steps, you can remediate the “Require IMDSv2 for EC2 Instances” misconfiguration in AWS using AWS CLI.

​

Using Python

The Instance Metadata Service (IMDS) is a service provided by AWS that allows EC2 instances to retrieve information about themselves and their environment. IMDSv1 is the default version of the service, but it has some security vulnerabilities that can be exploited by attackers. IMDSv2 is a more secure version of the service that addresses these vulnerabilities.

To remediate the “Require IMDSv2 For EC2 Instances” misconfiguration in AWS using Python, you can follow these steps:

1. Install the AWS SDK for Python (Boto3) using pip:

pip install boto3

2. Create a new Python script and import the necessary libraries:

import boto3
from botocore.exceptions import ClientError

3. Create a new session and EC2 client:

session = boto3.Session()
ec2_client = session.client('ec2')

4. Get a list of all EC2 instances in your account:

response = ec2_client.describe_instances()
instances = [i for r in response['Reservations'] for i in r['Instances']]

5. For each instance, check if IMDSv2 is already enabled:

for instance in instances:
    instance_id = instance['InstanceId']
    try:
        response = ec2_client.describe_instance_attribute(
            InstanceId=instance_id,
            Attribute='instanceMetadataOptions'
        )
        imds_mode = response['InstanceMetadataOptions']['HttpEndpoint']
        if imds_mode == 'enabled' and response['InstanceMetadataOptions']['HttpTokens'] == 'required':
            print(f"IMDSv2 already enabled for instance {instance_id}")
            continue
    except ClientError as e:
        if e.response['Error']['Code'] == 'InvalidInstanceID.NotFound':
            print(f"Instance {instance_id} not found")
            continue
        else:
            raise e

6. If IMDSv2 is not enabled, update the instance attribute to enable it:

response = ec2_client.modify_instance_metadata_options(
    InstanceId=instance_id,
    HttpEndpoint='enabled',
    HttpTokens='required'
)
print(f"IMDSv2 enabled for instance {instance_id}")

7. Save and run the Python script to remediate the misconfiguration.

Note: This script assumes that you have the necessary permissions to modify EC2 instance attributes in your AWS account.

​

Additional Reading:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html