📝 AWS EC2 Instance IMDSv2 is not enabled 🟢

• Contextual name: 📝 Instance IMDSv2 is not enabled 🟢
• ID: /ce/ca/aws/ec2/instance-imdsv2
• Located in: 📁 AWS EC2

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Require IMDSv2 for EC2 Instances
• Internal
  • dec-x-b42fae78

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b42fae78	1

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 AWS EC2 Instance
  • 🔌 AWS EC2 Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Rationale

Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally-stored EC2 instance metadata and credentials.

... see more

Remediation

Open File

Remediation

Using AWS CloudFormation

• CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enforce IMDSv2 on a specified EC2 instance

Parameters:
  InstanceId:
    Type: String
    Description: EC2 Instance ID to update with IMDSv2 enforcement

Resources:
  EnforceIMDSv2:
    Type: AWS::EC2::Instance
    Properties:
      InstanceId: !Ref InstanceId
      MetadataOptions:
        HttpTokens: required

From Command Line

1. Run the describe-instances command using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region:

aws ec2 describe-instances --region <region-name> --output table --query "Reservations[*].Instances[*].InstanceId"

2. The command output should return a table with the requested instance IDs.
3. Now run the modify-instance-metadata-options command using an instance ID returned at the previous step to update the Instance Metadata Version:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required --region <region-name>

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 36b configuration management —the configuration of information assets minimises vulnerabilities and is defined, assessed, registered, maintained, including when new vulnerabilities and threats are discovered, and applied consistently;		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)		1	1
💼 CIS AWS v2.0.0 → 💼 5.6 Ensure that EC2 Metadata Service only allows IMDSv2 - Level 1 (Automated)		1	1
💼 CIS AWS v3.0.0 → 💼 5.6 Ensure that EC2 Metadata Service only allows IMDSv2 - Level 1 (Automated)		1	1
💼 CIS AWS v4.0.0 → 💼 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated)			1
💼 CIS AWS v4.0.1 → 💼 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated)			1
💼 CIS AWS v5.0.0 → 💼 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated)			1
💼 Cloudaware Framework → 💼 Secure Access			53
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	64
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	53
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		53
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			88
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			108
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			66
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	34
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			11
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			11
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	46
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		19	21
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16
💼 SOC 2 → 💼 CC7.1-1 Uses Defined Configuration Standards		4	5