⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 AWS → 📁 Auto Scaling

🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢

Contextual name: 🛡️ Auto Scaling Group Launch Template is not configured to require IMDSv2🟢
ID: /ce/ca/aws/autoscaling/group-launch-template-imdsv2
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS EC2 Auto Scaling Group
- 🔌 AWS EC2 Launch Template Version - object.extracts.yaml
- 🔌 AWS EC2 Auto Scaling Group - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)
Internal: dec-x-fe8fe2c6

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-fe8fe2c6	1

Description

Open File

Description

Ensure that the AWS EC2 Auto Scaling Group uses a Launch Template which is configured to enforce the use of Instance Metadata Service Version 2 (IMDSv2).

IMDSv2 is a session-oriented metadata retrieval mechanism that issues time-limited tokens, significantly reducing the risk of unauthorized metadata and IAM credential exposure.

Rationale

Enforcing IMDSv2 mitigates common attack vectors, such as Server-Side Request Forgery (SSRF) and improperly configured application firewalls, that could otherwise be exploited to steal instance metadata and associated IAM credentials. By requiring a session token, IMDSv2 ensures that metadata access is granted only to authenticated processes running on the instance.

Impact

If you leave the metadata version unspecified, the configuration will be determined by the defaults of the account and AMI levels which might be without explicit IMDSv2 requirement.

Audit

This policy flags an AWS EC2 Auto Scaling Group as INCOMPLIANT if the related Launch Template (or Mixed Instances Launch Template) has the Latest Version with:

... see more

Remediation

Open File

Remediation

To enforce IMDSv2, you must publish a new Launch Template version with HttpTokens set to required and then point your Auto Scaling Group at that version.

From Command Line

Create a New Launch Template Version

Execute the following AWS CLI command to clone the latest Launch Template version and require IMDSv2:
aws ec2 create-launch-template-version \
    --launch-template-id {{launch-template-id}} \
    --version-description "{{Enforcing IMDSv2}}" \
    --source-version {{latest-version-number}} \
    --launch-template-data '{"MetadataOptions":{"HttpTokens":"required"}}'
After running, note the new new-version-number from the command output.

Update the Auto Scaling Group

Point your ASG at the newly created template version:
aws autoscaling update-auto-scaling-group \
    --auto-scaling-group-name {{auto-scaling-group-name}} \
    --launch-template LaunchTemplateId={{launch-template-id}},Version={{new-version-number}}
Replace new-version-number with the version number created in the first step.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)		1	1	no data
💼 Cloudaware Framework → 💼 Secure Access			55	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	67	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	56	no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	26	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			67	no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			25	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			67	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		56	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		26	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			91	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			111	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			69	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	37	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			14	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			11	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	49	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			21	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		25	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		19	21	no data
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16	no data
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16	no data
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

From Command Line​

Create a New Launch Template Version​

Update the Auto Scaling Group​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

From Command Line

Create a New Launch Template Version

Update the Auto Scaling Group

policy.yaml

Linked Framework Sections