π AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 π’
- Contextual name: π Auto Scaling Group Launch Template is not configured to require IMDSv2 π’
- ID:
/ce/ca/aws/autoscaling/group-launch-template-imdsv2
- Located in: π AWS Auto Scaling
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY
- Policy Category:
SECURITY
Similar Policiesβ
- AWS Security Hub
- [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)]([AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) (https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-3)]
- Internal
dec-x-fe8fe2c6
Similar Internal Rulesβ
Rule | Policies | Flags |
---|---|---|
βοΈ dec-x-fe8fe2c6 | 1 |
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure that the AWS EC2 Auto Scaling Group uses a Launch Template which is configured to enforce the use of Instance Metadata Service Version 2 (IMDSv2).
IMDSv2 is a session-oriented metadata retrieval mechanism that issues time-limited tokens, significantly reducing the risk of unauthorized metadata and IAM credential exposure.
Rationaleβ
Enforcing IMDSv2 mitigates common attack vectors, such as Server-Side Request Forgery (SSRF) and improperly configured application firewalls, that could otherwise be exploited to steal instance metadata and associated IAM credentials. By requiring a session token, IMDSv2 ensures that metadata access is granted only to authenticated processes running on the instance.
Impactβ
If you leave the metadata version unspecified, the configuration will be determined by the defaults of the account and AMI levels which might be without explicit IMDSv2 requirement.
Auditβ
This policy flags an AWS EC2 Auto Scaling Group as
INCOMPLIANT
if the relatedLaunch Template
(orMixed Instances Launch Template
) has theLatest Version
with:... see more
Remediationβ
Remediationβ
To enforce IMDSv2, you must publish a new Launch Template version with
HttpTokens
set torequired
and then point your Auto Scaling Group at that version.From Command Lineβ
Create a New Launch Template Versionβ
Execute the following AWS CLI command to clone the latest Launch Template version and require IMDSv2:
aws ec2 create-launch-template-version \
--launch-template-id {{launch-template-id}} \
--version-description "{{Enforcing IMDSv2}}" \
--source-version {{latest-version-number}} \
--launch-template-data '{"MetadataOptions":{"HttpTokens":"required"}}'After running, note the new
new-version-number
from the command output.Update the Auto Scaling Groupβ
Point your ASG at the newly created template version:
aws autoscaling update-auto-scaling-group \
--auto-scaling-group-name {{auto-scaling-group-name}} \
--launch-template LaunchTemplateId={{launch-template-id}},Version={{new-version-number}}Replace
new-version-number
with the version number created in the first step.... see more