Skip to main content

πŸ“ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 🟒

  • Contextual name: πŸ“ Auto Scaling Group Launch Template is not configured to require IMDSv2 🟒
  • ID: /ce/ca/aws/autoscaling/group-launch-template-imdsv2
  • Located in: πŸ“ AWS Auto Scaling

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-fe8fe2c61

Logic​

Description​

Open File

Description​

Ensure that the AWS EC2 Auto Scaling Group uses a Launch Template which is configured to enforce the use of Instance Metadata Service Version 2 (IMDSv2).

IMDSv2 is a session-oriented metadata retrieval mechanism that issues time-limited tokens, significantly reducing the risk of unauthorized metadata and IAM credential exposure.

Rationale​

Enforcing IMDSv2 mitigates common attack vectors, such as Server-Side Request Forgery (SSRF) and improperly configured application firewalls, that could otherwise be exploited to steal instance metadata and associated IAM credentials. By requiring a session token, IMDSv2 ensures that metadata access is granted only to authenticated processes running on the instance.

Impact​

If you leave the metadata version unspecified, the configuration will be determined by the defaults of the account and AMI levels which might be without explicit IMDSv2 requirement.

Audit​

This policy flags an AWS EC2 Auto Scaling Group as INCOMPLIANT if the related Launch Template (or Mixed Instances Launch Template) has the Latest Version with:

... see more

Remediation​

Open File

Remediation​

To enforce IMDSv2, you must publish a new Launch Template version with HttpTokens set to required and then point your Auto Scaling Group at that version.

From Command Line​

Create a New Launch Template Version​

Execute the following AWS CLI command to clone the latest Launch Template version and require IMDSv2:

aws ec2 create-launch-template-version \
    --launch-template-id {{launch-template-id}} \
    --version-description "{{Enforcing IMDSv2}}" \
    --source-version {{latest-version-number}} \
    --launch-template-data '{"MetadataOptions":{"HttpTokens":"required"}}'

After running, note the new new-version-number from the command output.

Update the Auto Scaling Group​

Point your ASG at the newly created template version:

aws autoscaling update-auto-scaling-group \
    --auto-scaling-group-name {{auto-scaling-group-name}} \
    --launch-template LaunchTemplateId={{launch-template-id}},Version={{new-version-number}}

Replace new-version-number with the version number created in the first step.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access53
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3764
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81153
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3124
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)653
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)324
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15534
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102346
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks20
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration723
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1921
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.16
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.16
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1216